[cheeze]

Even EV certs don't really matter. Case in point: https://stripe.ian.sh/

Let's Encrypt isn't the problem here. Expecting all CAs to properly verify what is and isn't a phishing website is unreasonable IMO. It just won't happen. Smaller CAs have hundreds of thousands of certs... it's just not possible.

The real issue is that a cert only says "Your communication between this site is encrypted, and you're speaking to the owner of this certificate" (Assuming it hadn't been compromised.) Certs don't make any guarantee that the person you are talking to is a good guy, nor that they aren't trying to trick you into giving your password to them.