I don't think StartSSL is obligated to provide free stuff. If anything, StartSSL should be obligated to charge money for their service, if they expect to remain competitive. As it stands I think that StartSSL's free certificates do not meet my standards for what the lock icon in a browser should mean.
Security is a lot more complicated than that little lock icon, anyway. Security means different things to different people, devices, and protocols. It's a UX/UI problem. What we need are fresh ideas on how to convey security concepts through GUIs and human interfaces. We need ways of visualizing privacy and trust networks (things like Lightbeam and Collusion), and ways of securely building trust links (things like interactively-verified Diffie-Hellman over NFC, or ssh-keygen's randomart)
Not even sure where to begin with that. You can't simultaneously say we can't trust their certs because they charge to revoke, and say they should be obligated to charge money.
Whether or not their users follow good security practices is not something they can account for. The only way they could account for it would be to force revocation of all previous certificates. The same is true of every other CA. It's incredibly likely that many users of SSL across the board will fail to replace and revoke old certs, regardless of what CA they use.
I agree that there are flaws in the way we currently utilize SSL. But that is a fully separate issue, and not related to "Should StartSSL specifically be considered untrusted". StartSSL shouldn't be singled out to have their business destroyed because the industry as a whole needs to be improved.
