That's not "lack of diligence", that's a fundamental bootstrapping problem. CA's are meant to verify identities. If the identity you are trying to verify is not itself cryptographically verifiable, then the attempt to verify can be tampered with,
Agreed in general but I don't think a single email counts as "diligent verification". it's doing the bare minimum the browser vendors will let them get away with.
but the only way to solve that is to use harder to verify identities.
Specifically validating through multiple independent channels so that an attacker would have to compromise all of them to get the certificate.
The proper fix is to get rid of third party CAs entirely and integrate certification of domain ownership with the purchase of the domain.
Which is what EV certs do, and my own experience of getting one was pretty smooth.
EV helps a little but the web's page-by-page model works against it. The connection where a form is received and the connection where it is submitted are logically seperate and afaict there is nothing requiring them to use the same certificate. So an attacker who has a regular certicate for a domain that normally uses an EV certificate can avoid MITMing the initial connection (likely the request for the login form) and show the green bar. Then they can MITM the second connection and grab the form data.
I was dissapointed to find that HTTP strict transport security doesn't seem to do anything to address this.