Everyone needs to opt-in to use more secure methods and by default non-secure validation methods, which allow easy issuing fake certificates, are allowed. This is wrong.

So, what should they do? No certificate without DNS record? Would this really help the overall state of affairs, or would most sites just not use HTTPS at all because it's "too complicated"?

The purpose of using HTTPS is to make connections more secure. Giving away SSL certificates to anyone does not serve this purpose.

It absolutely serves this purpose in a world in which there unfortunately is no TOFU/unauthenticated encryption for TLS (i.e. ours).

Thanks to widely available HTTPS certificates, "evil hackers stealing your cookies on public Wi-Fi" is not a thing anymore.

We should definitely have a discussion about whether it's made active attacks more feasible, but I think the goal of making passive sniffing less trivial than it was before can be considered achieved.