But do you really think there is a single US CA out there that would say no to a national security letter requiring them to issue a torproject.org certificate if they actually needed it?
NSL's request data. You're probably thinking of a court order. And of course the answer is no, they'd follow the order. But what makes you think a person taking part in the WoT would refuse a court order where a CA would roll over? Jail time sucks the same for both. The idea that CA's are uniquely vulnerable doesn't really make sense, given that the WoT lets you see who trusts who and serve a court order on anyone in the chain.
Stuxnet actually proves another part of why the CA system is utterly broken. Because they just had to break in *somewhere* in order to get a key signed by *any* CA in order to sign their stuff.
I think you are confused. Yes, Windows will load any driver signed by a member of the Windows hardware program. How else do you think it's supposed to work? Once code is loaded into the kernel it can do anything it likes and theres not much technical way to stop it with current-gen kernels, so there's no way to issue a certificate for one kind of driver but not another kind, it would be meaningless. Regardless, even if there was, the decision about how much power a signing key has for Windows is entirely Microsoft's decision, it has nothing to do with CAs.
I suspect you are thinking of the "any CA can sign for any domain name" issue in SSL. It has both weaknesses and strengths. The weakness is if any CA is compromised, they have full power. The strength is there's lots of competition which helps keeps prices down and makes revocation actually a realistic threat, because the customers of a CA that's about to be revoked DigiNotar style can go to any other CA to get fresh certs. You're never in a situation where the CA you want to revoke is the last man standing for some class of names.