The policies are implemented in code, in this case. But, let's rephrase my question then: are they working on a better way of handling certificate trust, in which a random compromised CA cannot do as much damage? The current model is clearly broken security-wise, and I'm sure this is only the start of the abuse.
I don't know if there's such an effort underway, but I hope so. Unfortunately, the entrenched players don't really have much of an incentive to change things, they're making billions from the current certificate model. The CAs don't even need to be compromised, there are quite a few that are maybe not 100% trustworthy (China's CNNIC is one that springs to mind) that are trusted by browsers by default. I agree it's a huge problem. I was merely pointing out that the problem does not lie within TLS/SSL.
The PGP "web of trust" is an existing distributed trust model; it never really caught on, though.
