Yet it works with way over five nines confidence. Despite all its faults, the system works decently.
I would myself prefer DANE being used, because it's IMHO sounder technically, but we'll possibly have the same issue with registrars doing a sloppy job than we have with CA, so not sure that it would actually be a win...
DANE has its own issues though: by itself, even if you're using DNSSEC with it (as you ought to be), you're essentially shifting trust from CAs to registry operators, your DNS service provider, and whoever operates the root zone.
I would myself prefer DANE being used, because it's IMHO sounder technically, but we'll possibly have the same issue with registrars doing a sloppy job than we have with CA, so not sure that it would actually be a win...