I think fundamentally, it is impossible to trust any entity forever. The best solution would be certificate updates outside of normal update paths. Its not like the format of x509 certs have changed in basically ever.
I suspect that protocol churn will settle down now. TLS 1.2 was introduced in 2008 and still considered ok, so its hardly that new now. Lots of people looking carefully hopefully means most of the issues have been flushed out.
It's true that TLS 1.2 is still considered OK, but cacert now only serves on TLS 1.3, Windows 7's integrated HTTP stack only supports TLS 1.2 and below, and Scoop relies on using PowerShell or similar to download cacert before it can install curl, meaning I can no longer install curl that way on Windows 7 (still an OS nearly as usable as Windows 10 and Linux, though apps are sadly starting to drop support for it).
I suspect that protocol churn will settle down now. TLS 1.2 was introduced in 2008 and still considered ok, so its hardly that new now. Lots of people looking carefully hopefully means most of the issues have been flushed out.