CA Certs
I have disabled all bar ten CAs on a couple of installations--it's been a few months ago and I'm still to get any warning regarding an untrusted cert.
Ideally, browsers would come with CA certs pre-installed, but initially untrusted until the user hits a website that requires it, then it would ask the user whether they trust the Turkish Central Bank CA to have signed the cert for google.ie, for example. It's far from perfect as it has an impact on usability and it does not address the real problem (pointed out by Aitor above), but nonetheless it'd be a small step forward.
However, as Aitor hints at, CAs cannot be trusted anyway as they're in the habit of "lending" their signing keys to, as they call it, "partners".