That is one of the reasons I do not bother since long with public CAs but rather deploy my own, including own OSCP responder. May I ask, how you create a CA which is valid for clients without them having to install your root cert?
and CA trust in clients. Latter though could be easily overcome if browser and email clients were to support DNSSEC/DANE validation.
That is where DANE/TLSA comes in but it requires DNSSEC/DANE validation in the client and of course DNSSEC and TLSA records in the domain's DNS. Notwithstanding that the upstream DNS resolvers utilized by clients need to support DNSSEC queries/answers as well.
Whatever the reasons for lacking such validation support in most of the clients (incl. web browsers) one speculative is that it would kill commercial CAs (as such Let's Encrypt is one too through their sponsors), or at least has the potential to diminish their business (model).
Suppose we are not hijacking this thread furthermore and avoid earning a discontent eventually ... ;)