However, the real problem stays: There are hundreds of CAs out, which are trusted by default by your browser. You probably never heard about most of them. They operate in different countries - you cannot sue them easily from your country. All of them can (technically) also issue certs for all Web sites (even for Web sites that have an existing cert from somebody else).
That's not the real problem. The real problem is that what happened to Diginotar could happen to a really big CA, and then removing it from the browser breaks half the web.
Well, it can only happen to CAs, which do not know security (and since we have hundreds of them in our browsers, it is very likely that there are others that are as bad as DigiNotar). However, reducing the number of CAs is not a solution, as this will just elevate the risk for a each security breach at a CA. The only solution is delegate the "trust" relationship in a way that it economically VERY interesting that the delegate checks the trustworthiness of the CA. E.g. your bank for certs that is used for online payments - if the (by the bank trusted) CA fails, it's the bank that pays the damages. Unfortunately, I do not have yet an idea of certs used by "free" Webmail (e.g. gmail).
And it is a BIG problem, that each CA can issue a cert, even for Web sites that already have a cert from another CA (as it happened for gmail in the DigiNotar case).