I mean, sure, from a practical standpoint I agree we're stuck with PKI, but I think the browsers need to cull, and cull hard, the number of CAs that they trust (and, yes, that would absolutely suck for both CAs and their customers). They also need to be a lot more open to per-user, per-site cert pinning so that we can build trust networks on our own.

Most of the sites I connect to I don't actually "trust" in any real sense, so a third party assuring me they are who they say they are isn't useful information for me. (Am I being phished right now? It doesn't matter, because I don't trust news.ycombinator.com with any information I wouldn't also give to a phisher.)

Cool, but that is totally different from your position in the comment I was replying to.

Not really; self-signed certs prevent non-resourceful actors (to use your phrase) pretty well too, well enough that I don't care about the difference for the vast majority of my traffic (how many sites do I actually trust more than I trust some rando pretending to be them? Not many, and those few are the only ones where 3rd-party verification gives me any useful information). If we decoupled the need to just encrypt transport (which is easy) from the need to verify authenticity (which is hard), we wouldn't need so many CAs to begin with (because far fewer sites would need them) and stuff falling through the cracks like this would be both less likely and easier to spot.