The certificate system is badly broken on a couple of levels. Most obvious and relevant to the OP is that there are 650 root CAs that can issue certs, including some state-run CA's by governments with potentially conflicting political interests or poor human rights records.
It is useful to think about what we use SSL certs for:
1) Establishing an encrypted link between our network client and a remote server to foil eavesdropping and surveillance.
2) To verify that the remote server is who we believe it to be.
Problem 1 is by far the most important, so much more important than number 2 that number 2 is almost irrelevant, and fundamental flaws with feature 2 in the current CA system make even trying to enforce verification almost pointless. Most users have no idea what SSL verification actually means or what any of the cryptic (no pun intended) and increasingly annoying alerts warning of "unvalidated certs" mean anyway.
What I find most annoying is that the extraordinary protective value of SSL encrypted communication is systematically undermined by browsers like Firefox in an intrinsically useless effort to convince users to care about verification. I have never, not once, ever not clicked through the warnings on a web site to access it. And even though I often access web sites from areas that are suspected of occasionally attempting to infiltrate dissident organizations with MITM attacks, I still have yet to see a legit MITM attack in the wild myself. But I do know for sure that without SSL encryption my passwords would be compromised - how many of us get spam from friends with Yahoo accounts? Yahoo still does not SSL encrypt login by default and so accounts are regularly compromised by spammers. Encryption really matters and is really important to keeping communication secure. Anything that adds friction to encryption should be rejected.
Self-signed certs and community certs (like CACert.com) should be accepted without any warnings that might slow down a user at all so that every website, even non-commercial or personal ones have no disincentive to adding encryption. HTTPSEverywhere. Routers should be configured to block non-SSL traffic (and HTML email, but that's another rant. Get off my lawn.).
Verification is unsolvable with SSL certs for a couple of reason, some due to the current model, some due to reasonable human behavior, some due to relatively legitimate law-enforcement concerns:
Obviously the OP makes clear that the current model is badly broken because the vast majority of issuing companies have every reason to minimize the cost of providing a cert which means cutting operational costs and increasing the risk of human error. Though even at a well run notary, human error is likely to occur, especially as notaries in different countries, speaking different languages can issue certs for companies in any other location. Certificate issuance by commercial entities is fail. A simple error can, because registrar certs are by default trusted, compromise anyone in the world. One mistake, everybody is at risk. Pinning does not actually reduce this risk in advance, though rapid response to discovered breaches can limit the damage.
But even if issuance were fixed, it wouldn't necessarily help. Most people would happily click through to www.bankomerica.com without thinking twice. Indeed, as companies may have purchased almost every spelling variation and point them all toward their "most reasonable" domain name, it isn't unreasonable to do so. If bankomerica.com asked for a cert in tashkent, would the (or even should they) be denied? No - green bar, wrong site. Even if they were non-SSL encrypted, it isn't practical to typo-test every legit URL against every possible fake, the vast majority of users would never notice if their usual bank site came up unencrypted (no cert at all). This user behavior limitation fundamentally obviates the value of certs for identifying sites. But even a typo-misdirection is assuming too much - all of my phishing spam uses brand names in anchortext leading to completely random URLs, rarely even reflective of the cover story, the volume of which suggests this is a perfectly viable attack. This user problem is mostly an issue for average users and below, but (hopefully) less so for dissidents or political activists in democracy challenged environments that may be subject to MITM attacks because (one hopes) they might actually pay attention to cert errors or use perspectives or crossbear. User education can help, but in the end you can't really solve the stupid user problem. If people will send bank details to Nigeria to assist in the transfer of millions to help a nationality abandoned astronaut expatriate his back pay, there is no way to educate them on the difference between https://www.bankofamerica.com/ and http://www.bankomerica.com./ The only viable solution is distributed trust as implemented by GPG (explicit chain of trust) or Perspectives (wisdom of the masses); both of these seem infinitely more reliable than trusting any certificate registry, whether national or commercial and both escape the cert mafia by obviating the need for a central authority and the overhead entailed.
Further, law enforcement makes plausible arguments for requiring invisible access to communication. Ignoring the understandable preference for push-button access without review and presuming that sufficient legal barriers are in place to ensure such capabilities protect the innocent and are only used for good, it is not rational to believe that law enforcement will elect to give up on demanding lawful intercept capabilities. Such intercept is currently enabled by law enforcement certificates which permit authorized MITM attacks to capture encrypted data without tipping off the target of the investigation. Of course, if the US has the tool, every other country wants it too. Sooner or later, even with the best vetting, there is a regime change and control of such tools falls into nefarious hands (much like any data you entrust to a cloud service will sooner or later be sold off in an asset auction to whoever can scrape some residual value out of your data under whatever terms they way, but that too is a different rant). Thus it is not reasonable for activists in democracy challenged environments to assume that SSL certs are a secure way to ensure their data is not being read. Changing the model from intrinsic, automatic trust of authority to a web-of-trust model would substantially mitigate the risk of lawful intercept certs falling into the wrong hands, though by making such certs useless or far harder to implement (LE would have to go to specific sites to get either a cert copy or to directly gather decrypted traffic, which would tend to favor US-based LE over foreign entities that might have a harder time convincing a US-based company to give up user data, though big cloud players with an international presence don't have a choice about this).
There is no perfect answer to verification because remote authentication is Really Hard. You have to trust someone and the current model is to trust all or most of the random, faceless, profit or nefarious motive driven certificate authorities. Where verification cannot be quickly made and is essential to security, out of band verification is the only effective mechanism. Sadly, the effort to prop up verification has made at the compromise of encryption, most recently Gmail rejecting self-signed certs for POP. That's insanely stupid. False security is being promoted at the expense of real security.