What stops the browser from automatically trusting a forged certificate signed by a bundled CA? That's not a hypothetical question. It's happened before - either through incompetent CAs, or malignant ones (see: Google/Mozilla vs China).
The problem with the current trust model, is that it's unclear who we trust -- or put in another way, who we empower to betray us. No trust without the possibility of betrayal - no betrayal without trust.
With the current model, the path from who the user trusts (eg: Mozilla, Google and the OS vendor) is abused to extend to way too many CAs. So many, that the user can give up (ie: I use the browser and trust the green bar) -- or get a crippled experience, because the model assumes that you trust all bundled CAs. Sure, power users can in theory remove CAs from the store (and add ones, like I do for cacert.org, as I use them for my domains).
The fact that I add cacert.org reminds me of another thing: There should probably not be any CAs that can sign arbitrary subdomain.TLD. Since I add cacert.org, they can empower someone to mitm all my tls connections. But that is a separate issue - this issue already exist.
Trust decisions is all about meaningful choice -- and choosing between not using the web, and trusting Chinese (and every other) intelligence, along with various foreign corporations (they're all foreign to someone) to not enable/be tricked into mitm my email, my web browsing etc.
