Yes this is the unfortunate situation. Just like all the other now standard security features of the net, nobody uses them until the option is no longer an option, or a disaster happened.
When you look at the small list of correctly configured sites, one company stands out as being rather important, and that is Verisign.
Yes, it would seem to be a good idea that a site that serves certificates has some ability to protect itself against spoofing.
As more and more attacks are aimed at the network infrastructure (inside and outside the home), rather than just hacking a site or PC, we may get to a point when even EV certificates cannot be trusted for authentication because you cannot tell if the domain is real or faked.
Users can opt for a DNSSEC resolver, but like you said nobody knows or cares about it so usually only accidentally have it, eg. if they swapped to a Google DNS.
People never care about something they don't know.
Privacy via HTTPS sites is made weaker if your requests for domains are not als encrypted with DNSSEC.
DNSCrypt is an extra feature that authenticates the DNS you use because a DNS can also be spoofed.
Sites should also use encryption and authentication when talking to DNS, or yet again the privacy is borked and it is possible to do a man in the middle attack.
Any site that serves an Operating System image or web browsers needs to be sure their downloads are not exchanged for something else.
As far as I know only 1 web browser comes with DNS spoofing protection, or at least it is the first to feature built-in DNSCrypt support.
Yandex. another chromium based project.
Shame most Vivaldi users are not as concerned about fake sites as they are about syncing and fancy icons.
I still use Firefox for trustability over other browsers due to the extensions available that Google do not allow.
Calomel lets you know if an otherwise good certificate is weak, and can override the browser security.
Perspectives checks the certificates of sites you visit against historical data from many geographically separate servers, so you can see if the "good" certificate you see is different than the one everyone else sees, and it can override the browser security settings.
HTTPS Everywhere for FF has extra features such as sending the certificate to the EFF observatory and options for overriding the browser security and encryption.
(spot the thing that Google don't allow)
Alternatively/additionally you could use an extension that does reverse DNS checks of all the sites you visit and pops up warnings if the domain does not match the registered IPs, but in an era of CDNs will show a lot of false-positives, so is best used by someone that knows what they are seeing.
