I stopped going to key signing parties years ago after coming to the same conclusion. We have two examples of PKI: X509 and the web of trust. Both are deeply flawed. The Web of Trust adds no security whatsoever, but seems to be harmless in that it doesn't undermine the security of the systems it is bolted onto. X509 in contrast does give us something we didn't have before - when it works it prevents man in the middle attacks. But it is brittle. A single weak link can and has broken the entire thing. And when it breaks, it compromises the security of every system on the planet using it.
Unfortunately we seem to be trapped by commercial incentives. X509 is brittle because CA's make money from selling trust. It is in their interest to keep you dependent on them. We would all be better off if we just used their cert to download a self-signed cert from the vendor, giving ourselves forward secrecy. If that had been in place before the Iran thing Google would have downloaded their own certs to most browsers, so the hacked cert would have only effected new connections. As it is, they got all of connections.
I think you are right is saying when it comes to establishing trust, creating an audit trail of signed postings is the best way to go. A couple of years worth of signed postings to LKML or debian devel creates a history far more reliable than someone on the other side of the planet claiming they had sighted drivers licence. It is also easily transferred to other projects.
Sadly that is undermined by Google and other email merchants who don't provide a way to send signed messages with their software. The cynic in me says Google would far prefer you to depend on their login and password management, their server security, and their "True Names" policy for establishing trust. It's far better from Google's perspective if we all put our faith in "I saw it in Linus's g+ posting" rather than "I saw it in a message signed by Linus".
We probably have only ourselves to blame. The current PKI are not only broken, they are unbelievably difficult to use. Who here has managed to produce a self signed cert with openssl, or has truly mastered gpg options? The mere thought of gpg's 76 line output for gpg --help makes me shudder. In the light of that mess it is not surprising commercial solutions are stepping in to fill the gap.
I don't think it is technically difficult to design a system that would work well. The problem seems to be one of social engineering; of agreeing on a standard and getting the code out there; not of designing it. A such it seems like a problem open source could solve.