Exactly this. CA curation. These sort of trade-offs are probably beyond a single entity to assess (arguments about fundamental PKI limitations aside), but I'm certain if there was an API, even just some simplified file format, "the web" could come up with a way to crowd-source better intel on what CAs should and shouldn't be in the list, all the way down to explicitly using only ones you want. A bit like bittorrent blocklists, ye olde spam list, etc.