Someone must've suggested this already, but why not just create a "distributed" cloud service that caches certs as seen by users with their frequency and geographic location? Browsers could then have a plugin that connects to that cloud to compare the certs they're getting and those already cached. Surely if 90% or Iranians are seeing one cert and 90% of users elsewhere are seeing something else then there's an issue with that cert. Obviously the issue then is making sure that the info you're getting from that service is accurate ... but the point is that that system would gain resilience through decentralization (vs. the CAs which are centralized.)
Not a be-all and end-all solution, but at least something that can be layered on top of what we have today and that provides an extra barrier of sorts.