Well, if your only response to discovered issues is to blacklist CAs for life, then you'll just be encouraging cover-ups. Or to put it in economic terms, if you make responsible disclosure more expensive than the cover-up, then businesses will choose the latter.
Which is better for users? I wonder if someone has tried modelling this, perhaps using game theory.
The basic problem is that any CA can sign for any domain. That's the problem we should be working on. Once that is solved the rest becomes tractable.