1) First I would have done only countries and no other TLD.
Personally, I would have done the opposite, and demoted country-specific sites to a second-level domain like .us.gov. The Internet is an international network; forcing every domain to be classified first and foremost according to its national origin would cause needless discord. Only a small minority of sites are truly country-specific.
it could have been debian.cc or debian.de or any other that they wanted
In which case the country code would communicate zero information about the site—so why have it at all?
What might make more sense would be using registrars as TLDs (e.g. google.mm for MarkMonitor), with a convention that multiple TLDs can contain the same subdomains if and only if they mirror each other. This would tie in well with DNSSEC while also avoiding the need to defend one's domain name against scammers in a million separate TLDs. If a government just happens to run its own registrar it could use the country code for its TLD alongside non-country TLDs. The main difference from the current system would be that TLDs would be generic rather than catering to a particular kind of site, which is mostly the case in practice anyway: .com no longer implies commerce, not every .org is a non-profit, .net does not imply an ISP, etc. Instead, the TLD would imply a trust relationship; the name "google.mm" would imply looking up the "google" subdomain in the MarkMonitor domain registry, which would presumably be listed among the user's local trust anchors. If there were an alternative domain like "google.vs" (for VeriSign) it would be required to resolve to the same address.