[MichaelGG]

How is this any worse than trusting the original CA? There's almost assuredly some high standard they use to cross sign, and they'd get revoked if they do that incorrectly. You're failing to note that MCS was revoked as was CNNIC. So, boom, 2 bad/laughably incompetent players are out.

Trusting a CA means trusting them to write certs, even via an intermediary. If you don't actually trust them, remove those CAs.

The CA model has lots of problems, but I don't see what additional harm this actually causes.

[Natanael_L]

Because it doesn't settle with having as many single points of failure as the number of CA entries in your root CA list, they are getting multiplied over and over.

[MichaelGG]

How would it be any different if these CA's made a choice to instead issue end-user certs but based off of Let's Encrypt's authorization?

[Natanael_L]

Fewer master keys to target

[MichaelGG]

I'm gonna guess that getting into Let's Encrypt's HSM is as hard or harder than breaking their auth procedures.