I guess it depends if we’re talking about the main CAs or the mickey mouse
I benchmarked and checked most of the root cert providers. Basically, if you want a certificate you can get one you just have to work a bit harder on the verification processes when buying from the main players. They are there to make money first and protect the public second. The flaws are in the documentation required to check an organisation and the process they go through to check it, particularly off-shore (think USA big provider checking UK small business).
But the most massivest flaw ever is that nobody checks a certificate on going to a website. Who here checks every day that the SSL cert for bbc.co.uk is actually owned by the BBC? A certificate simply says that company X owns domain Y. It is 100% valid for “Dave’s dodgy motors” to have an EV certificate for ferrari.co.uk if he owns the domain.
Trust me as one who was in this industry when Verisign were making shedloads of cash that it was invented for the industry not the consumer. Lets Encrypt turned the model on its head and as a result we are actually more secure as more sites can now implement SSL and the likes of Google can start to mandate it.