There are guidelines that have to be followed http://www.webtrust.org/homepage-documents/item54279.pdf

Nothing illustrates it better than @tux3 above: "I have a moderate trust in the CA ecosystem as a whole"

Trust in CA's is a bit like trusting your bank or state. Only that if you trust one bank you automatically trust all banks (unless you use key-pinning or other on top solutions that have been bolted-on afterwards).

CAs have a license to print money. What we need is a transparent Authority that is owned by the people not by some megacorp which not only issues sites but individual identity certificates. It's important to know if the CA have "Skin in the game" when they say they can protect you. (none of them do).

Disclosure: I work for The Authenticity Institute and we're quite active in that domain (also we think the way CAs are managed is a liability in the age of critical IIoT and ICS security).

Giggle.

Look at Diebold's numerous malfeasance issues in ATM and voting industries. If anything, they have much more to lose by voluntary audit.

Unsavory CA's might well be in the same position.

Can you elaborate? I am not familiar with the specifics of Diebold's problems and how a voluntary audit (which they could choose to keep private and use for internal assessment) would hurt them more than not knowing the risks.