Many certificates that you can buy today are issued by legitimate resellers of bigger CA's. That's done by the big CA (which is in the list of trusted roots) handing out a CA certificate to the reseller.

We'd probably want to keep this as is or the already way too big list of roots in the browsers becomes totally unmanageable. Or we move back to the days of only a handful of roots, which probably means also going back to the old prices ($500+ a year for a non-ev one)

We're kidding ourselves, totally kidding ourselves, that we have made the CA system "manageable" by allowing CAs to sell subsidiary CAs to other companies. Yes, those certs aren't cluttering up our 2 terabyte hard disks. That's a bad thing, because they're still out there, and they work whether your browser tells you about them or not.

All this means is that CAs have to be a bit more careful who they give reseller certificates to - essentially, only signing reseller certificates for sellers they think are trustworthy.

Because that's what signing a * certificate says - "I trust the owner of this certificate with signing power for every domain". If a particular CA is giving that away to people who shouldn't be trusted with that, then that's pretty shady behaviour on the part of the CA.