> 1) Distrust certificates chaining up to Affected Roots with a notBefore date after October 21, 2016.
> ...
> 4) Remove the Affected Roots from NSS after the SSL certificates issued before October 1, 2016, have expired or have been replaced.
This sounds more serious than that. It says they can re-apply for inclusion of new roots next June though. So in practice it might really be just a one-year ban, if they will apply and pass the inclusion process.
I think you're slightly misunderstanding the plan (assuming I have interpreted your post correctly)
[ Edit: I just re-read your final couple of paragraphs and you're basically saying the same thing I wrote below ]
Effectively WoSign's (and StartCom's) current root certificates are now dead and useless for any new issuance.
Under Mozilla's proposed course of action, existing end user certs that were signed by those roots are valid, but there will never any more.
But, at some point in the future WoSign and/or StartCom can generate new root certs and apply to have them included in Mozilla's CA store.
That "point in the future" is June 2017 for WoSign and maybe earlier for StartCom if they can prove that their not controlled by WoSign (it seems unlikely that they can prove that). Their application process will need to demonstrate that they're resolve the issues that got them into this trouble
How much do you want to bet they're already working out how to supply new and renewing customers with certs provided by some other CA?
I notice the most recent StartSSL cert I got has a 3 year validity instead of their previous standard of 1 year - presumably in the hope that when my cert needs renewing they'll be able to provide that service. (I do have a handful of their certs which will expire during this 1 year ban. I'll certainly be needing to go elsewhere to renew them (finally time to learn how to auto-deploy LetEncrypt certs to Amazon ELB I guess, or maybe move all those domains to Route53 - I probably should have made time for that already...