You hit on a good point... a better solution would be a special class of certificates, sort of like EV certs, where the lifetime is extremely short, specifically for the sorts of enterprises, like banks, that need that level of care. Granted, most banks can't get their SPF, DKIM, and DMARC correct for years at a time, so they would definitely find a way to screw that up.
The problem with that solution is that EV already showed that a two-class system of certificates that only really differ in slight UI hints is not useful. Normies never had any idea what the green bar means, and even unusually savvy users are not likely to remember whether a particular website had an EV certificate or not last time they visited.
