You’ve made a pretty big error in saying trusted CAs are only about the browser. What about host-to-host comms which is secured by SSL certs? The whole reason Equifax was clueless for months about their breach is they allowed their SSL certs to expire, which caused critical host-to-host comms to break down. You don’t get that certificate warning you can click through when you have host-to-host encrypted traffic. If those certs had been revoked they would have had the same problem.
I am not really trying to fix the trust problem… which probably defies any single solution. I am addressing the dangers of 1) piling into a single system of trust instead of dispersing that trust across multiple systems; 2) trusting encryption when the KMS is the proper object that trust; and 3) the unintended consequences of “free” and “automated”… namely the “fire and forget” complacency which it begets.