>"BGP has no built-in security."
That's an over-simplification to the point where it's verging on falsehood. You try opening a BGP connection from your home or office (i.e. ISP end-user) computer to any random router out there on the internet; it won't accept anything from you.
BGP routers are configured by the network admins to know who their peers are and only accept updates from them, and most of them use shared-secret MD5-based signatures as a form of (admittedly weak) authentication. Faking a BGP update would require both knowing the particular shared secret for a particular peer-peer link *and* blind IP spoofing as one of the peers; it's only valid authorised peers who can inject (whether by accident or design) bad data into the BGP routing tables.
It would be a bit more accurate to say that BGP has no data validation rather than no security at all, as the problems arise when someone emits routing updates for routes they don't have the right to originate. This becomes a particular problem as some enterprise-level ISPs sell a service where the customer can supply their own BGP router and originate routes from it; the ISPs should be filtering these routes rather than blindly passing them on, but that's still basically a data validation/GIGO issue.