The process of obtaining an SSL certificate does not involve divulging your private key to the CA so what are you trusting them with? In reality you are trusting them not to sign certificates for sites not owned or administered by the person requesting it, they could (in theory) do this whether you got your certificate from them or not. In practice they cannot do this on a widespread scale without it being detected (e.g. Chrome sends info to Google if a certificate for a google domain is valid but not from the Google Internet Authority) and as soon as that happens then they lose their business (as is what happened to a CA that got hacked).
It's the same kind of non-trust you (and others) assert over CAcert.
See how well that model worked with Comodo and TurkTrust - both of which are still in business and in default CA lists, which is counter to your assertion that careful CA operation makes business sense.
Unfortunately there's no will with browser vendors to _really_ improve matters (maybe TACK?), so something like CAcert is great should it get implemented (providing some heat to CA providers) and even when not (by showing the browser vendors' hypocrisy).
The process of obtaining an SSL certificate does not involve divulging your private key to the CA so what are you trusting them with? In reality you are trusting them not to sign certificates for sites not owned or administered by the person requesting it, they could (in theory) do this whether you got your certificate from them or not. In practice they cannot do this on a widespread scale without it being detected (e.g. Chrome sends info to Google if a certificate for a google domain is valid but not from the Google Internet Authority) and as soon as that happens then they lose their business (as is what happened to a CA that got hacked).