IMHO, the solution will ultimately have to break to:
1. Secure the login process (many good ideas available here!). This does not solve the entire problem!! We stil need to prevent spoofed sites from spreading malware and false information (content)!
2. Improved site-identification indicator. IEv7 improved a bit, by indicating organization name and CA in the location bar (unfortunatley, for EV-equipped sites only). Their display, unfortunately, is not very visible and not customizable – I believe that in TrustBar, a FF extension I did with students, we did better – more visible, customized, etc. Further improvements are needed (we are testing now), e.g. we may ask users to click on the site identifier to enter each (sensitive) site.
3. Improved protection against malware – in particular, may be a good idea, to require explicit user identification of each site from which browser receives content.
4. Allow users to delegate the `trust decision` (which CA identifications are acceptable) to a security/trust service provider (like anti-virus service).

EV makes the right statement: Site XYZ is identifed by CA Blue. It is crucial to identify who says the site is as is, otherwise it falls to the browser. The CA must be represented as the one who said so, not only because it is their cert, but because this correctly allocates the liability to them for getting it wrong.

But EV mucked up and turned it into a marketing-driven campaign: those who pay more (somehow) get the valuable green bar. Which means “the few” … who really aren’t so much of an issue. Meanwhile, the rest, the $10 cert factories with low or no security thresholds, are *hidden* from user scrutiny. To be a security statement and not a marketing statement, it should have been the other way around: Low cost CAs will always be named and shamed with the statements they make. (High cost CAs might be able to buy a better class of shame…)