The interesting thing is that web browsers can make people "get on board" with anything. Most of the PKI and TLS changes in the last couple years have happened because Chrome/Firefox/Safari have decided to say "this or your page won't work".
Understanding where web security is right now is about understanding who is making the decisions (regardless of any claims about committees and processes), and what motivations they have to make the decisions they do.
More precicely, it means that compromising the public key infrastructure requires compromising one specific CA, rather than compromising any single CA out of hundreds. Ideally, we would it to instead require compromising all CAs out of hundreds, but as long as the defective-by-design X.509 PKI is used, that's not very possible, much less likely.
Understanding where web security is right now is about understanding who is making the decisions (regardless of any claims about committees and processes), and what motivations they have to make the decisions they do.