In that case the ISP would be inducing the user to install malware. If the ISP is willing to do that, then you should probably view them as malevolent adversaries in your security model. I don't really think that an OS can protect against this in any reasonable way if that OS allows users to update certificate stores themselves. I don't really view this as a problem with the certificate model as opposed to plain old social engineering.

In any case, I don't think "an ISP could inject their own certs very easily" is a fair characterization unless you put it on the same footing as "anyone with your email can get people to install malware easily".

What's rather more difficult is doing that without it being noticed.

As a concrete example, Lenovo were caught.