Anyone can set the source IP on their packets to be anything. I can send you TCP SYNs which are apparently from Cloudflare.
There was a proposal (BCP38) which said that networks should not allow outbound packets with source IPs which could not originate from that network, but it didn't really get a lot of traction -- mainly due to BGP multihoming, I think.
BCP38 has gotten some traction, but it's not super effective until all the major tier-1 ISPs enforce it against their customers. But it's hard to pressure tier-1 ISPs; you can't drop connections with them, because they're too useful, anyway if you did, the traffic would just flow through another tier-1 ISPs, because it's not really realistic for tier-1s to prefix filter peerings between themselves. Anyway, the customer that's spoofing could be spoofing sources their ISP legitimagely handles, and there's a lot of those.
Some tier-1s do follow BCP38 though, so one day maybe? Still, there's plenty of abuse to be done without spoofing, so while it would be an improvement, it wouldn't usher in an era of no abuse.
There was a proposal (BCP38) which said that networks should not allow outbound packets with source IPs which could not originate from that network, but it didn't really get a lot of traction -- mainly due to BGP multihoming, I think.