And they have to do that precisely because there are 170 or so entities of various levels of dubiousness that are by default authorized to sign any certificate for any domain, and everybody knows that this is fundamentally a horrible idea.
For that matter, since HPKP requires sideband key management, it's
A) an admission that PKI doesn't actually work, and
B) a pretty clear example of why the CAs are unnecessary
If you have pinned certificates you are essentially operating exactly the way 99% of us do with SSH (only rather better because there are several million eyes on high-value certificates), which means you don't need CAs anymore.
Pins are either built into the browser by the vendor, or assigned on first access AFTER a successful server authentication (via the cert).
Pins are trusted/verified through another channel.
SSH Tofu trust occurs pre server authentication. It has no defense against an ALWAYS mitm. Of course there are far less ALWAYS MITM for SSH than TLS.
You have no way of validating the pubkey you have written to known_hosts against anything else.
Your browser does (for high-value sites). That's what certificate pinning and HPKP are for.