It could be structured based on kittens and be at least as secure. I could steal a guys wallet, copy his id, slip it back or just throw it out, buy a certificate, slip virus laden software and it would get a huge seal of approval.
That's not much of an argument. It's not very easy to mug someone from Nigeria. Eliminating a remote attack is a big deal.
Of course, the sheer number of certs given out guarantees that some bad guys will be able to get one using fake id. But the point is to make malware rare and easier to investigate, not to eliminate it completely.
