This seems like a problem that could be pretty easily solved by the browser vendors, similar to how they do malware checks. Throw up a "this site's security certificate was issued by a compromised authority, and will no longer be valid in <x time at y date>. If this is your website, click here for more information." Run that for a sufficiently long period of time, then kill the CA.

It's not perfect, but we have a huge web of people using these affected sites on a daily basis who can serve as a very powerful driving force to spur change when necessary to minimize fallout.