There is at least some merit to the argument that "Trustico Bad" => "CAs bad" => "HTTPS Bad".

More than one CA has been shown to be extremely lacking in trustworthiness and that trust is important. I'm OK with the centralised model but there needs to be a bit more visibility of the CA process.

I'd settle for an end to the credentialism that ensures only the rich and powerful can enter the CA business. The actual technical chops and physical/operational requirements to become a CA are modest by the standards of the average HN reader, but the financial cost for the audit required to wind up in the browser trust stores is prohibitively high.

...That, and given the massive failures we've seen coming out of the CA world recently, I question whether those audits are actually worth anything.

Aren't the audits what allow us to find out about the failures, and revoke their ability to be a CA?

How many of the most recent failures have come to light as a result of a failed audit, and how many were due to a post-audit, outrage-generating violation of basic best practice and common sense?

The whole point of auditing is to detect problems before they become big, embarrassing, messy failures that put users at risk.

If you hang out on mozilla.dev.security.policy for a while, you'll see plenty of examples of audits exposing weaknesses or sloppiness on the part of CAs, and receiving the resulting pushback from browser vendors. Here's the most recent example I've found: https://groups.google.com/forum/?fromgroups=#!topic/mozilla....

So is a fair summary, "In a weak attempt to force Digicert to revoke 23,000 certs, Trustico proved they had the private keys for those certs. In the process, Trustico also proved they are completely untrustable as a CA."?

Yes, with the addition that Trustico also don't know how to transmit key material as well. Basically DigiCert's summary nails it.