Sounds like planned obsolescence
It was my understanding that when SSL certificates first came out, there was supposed to be identity validation done by the issuers in the first place.
Now that everyone knows SSL is required to send any bank/credit card info, word is coming out that current identity validation isn't what it should be.
The solution is a new "kind" of SSL certificate that you can buy from your certification authority for more money.
After paying top dollar for this new, green-bar EV kind (where presumably your extra thousand dollars or more presumably goes to the difficult task of them verifying you are... somebody), will there come a time when we hear tell that EV wasn't strictly followed by some of the vendors, and they're now roughly worthless, and there's a new color "EEVWRMI"* certificate being released?
(* Extended-Extended Validation We Really Mean It)
I believe this is a problem with certificates being used for two purposes: encryption _and_ identification. And the whole "trust" model requires that you basically trust someone you don't know, who is supposed to be trustworthy, to guarantee that someone else you don't know is somehow trustworthy. It's not surprising this has some holes.
Paris because, well, I don't need to say it, do I? ;)