Re: DV's only
EV certs are dead, since Chrome and Safari stopped displaying them, because users ignored them
Possibly overly optimistic. While browser manufacturers scorn EV certs, the CA/BF loves them. Their Code Signing Working Group mandated EV certs for code signing (as if that wouldn't be a fucking nightmare) in their draft spec, and - as some may remember - Microsoft briefly adopted that position, before backing down in the face of ISVs waving torches and pitchforks. It wouldn't surprise me if the CA/BF keeps pushing EV certificates for years to come, even with the browsers ignoring the distinction. And they'll try to wedge them into more non-TLS applications.
I agree that EV certificates are largely pointless - the additional cost doesn't buy much, considering that CAs have a record of not performing the additional verification properly (or at all, in some cases), and the HSM requirement for key management is not universally enforced and was poorly written in the first place. (FIPS 140-2 L2 security on the HSM isn't worth a damn, and prevents people from using inexpensive hardware with open-source drivers.) But CAs and the CA/BF will try to find ways to keep the EV cash cow alive for a while yet.
Biting the hand that feeds IT
