Because the bumper image actually is loaded from a domain name which is insecure. It actually has dnssec data for the A record for the web server, but the A record actually contains a bad signature. A browser that was properly protected, either within the browser itself or because your site's recursive validating resolver was secured, it would prevent you from retrieving this image since the zone date for the web server was known to be bad. For a list of our test records, see our Test Zone page.
Here's a screen shot from a secured version of firefox looking at the same page:
Additionally, the firefox extension bundled with dnssec-tools 1.2 will provide the ability to see how many DNS lookups were done for a given page, and which ones were validated, simply trusted, and which were broken:
