The hierarchical nature of the certificate signing is a major vulnerability, as demonstrated over and over.
Rough thought. Can the fingerprints of the certificates be signed by e.g. GnuPG, adding web-of-trust mechanism in parallel to the hierarchical one?
An improvised implementation for HTTPS can be done via a detached signature, stored in a file with defined location (e.g. /certsign.gpg ?) This can be implemented as e.g. a browser extension that fetches the file, checks the signatures, and shows an icon displaying the results and optionally showing the entire web-of-trust on click.
Another possibility is crowdsourcing the fingerprints; having some server/service that the browsers connect to when contacting a HTTPS domain, and checking the fingerprint and certificate history.
Both methods are independent on the signing hierarchy, are complementary, and can work for self-signed certificates as well.