The two questions are, first, why can't router software let us stamp out address spoofing? And secondly, why do we use firewalls?
Address spoofing depends crucially on being able to hide the real source address, so why not make that impossible?
One way to do it would be to have all the ISPs and network carriers whose connections constitute the Internet certify where packets entering the network come from.
Any packet has to have an origin characterized, from an Internet perspective, by the point at which it first reaches part of the shared resource -- usually a router or other device maintained by an ISP or backbone carrier. Suppose, therefore, that we put software on those devices that allows them to form a self-authenticating community and insert a signed source address into every packet forwarded from the customer's premises.