It's bad, but the WebPKI of the oughts featured CA certificates issued to random big enterprise IT teams that could simply issue arbitrary certificates. We've come a long ways.