This basically would create a CA's CA. Another SPOF, and one that would be like OCSP: good if you have it, useless if you don't.
It would be much more easier for CAs to use real secure stuff like FIPS level 3 compliant HSMs requiring Operator Cards/Tokens to actually *sign* the stupid certs. Sure it's slower, but at least it means that some shady hacker won't get his rogue cert signed w/o physical access to the CA's site. Make some CA standard requiring this and blacklist non-conforming CA entities!
The other option is simply to use the Convergence alternative.