WoSign/StartCom got a bit of a smackdown about their stealth acquisition so there is some level of oversight.

Only because they made the mistake of sharing their infrastructure (hence, their quirks) and got caught. I wouldn't call that oversight.

CAs should be required to announce ownership or large administration changes, and trust in said CAs should be revoked upon change unless/until they have been re-audited.

That is effectively how both the Mozilla and Microsoft programs root store programs works.

How could you design a system that works otherwise? Computer security is always about "this key says", not "this legal entity says".

Certificate is more than just a key. Especially EV certs are pretty close to "this legal entity says". CAB forum could have made a policy that root CAs are non-transferable and should remain in complete independent control of the entity that created it.

Well you could do something like have browser vendors require a legally binding document that the ownership of a CA cannot change without notice (at which point they can reassess the CA). Not that hard actually since there are only a few browsers that matter.

Peer review and regular key rolling should be built into the system.

It should not be based on "root" certificates rather something more like blockchain for generating security keys and each roll /session generates a new key.

IANAEE but if building a currency is possible without it being possible to create fake money then it should be possible to protect websites in a similarly decentralised way.

We have peer review in current CA system in two forms; Certificate transparency being the more visible one, CAB forum operating more in the background.