Yeah, that's a super good point. It could end up going that direction. I would hope that issuers would be kept accountable by the people trusting them, and get bad reviews if they didn't do their job, like anything else. That would allow for a decentralized system without a deep and brittle hierarchy like with CAs.
One problem with root CAs is probably that they're baked in to the OS/Browser at a low level, and need to be trustworthy for every request, rather than being a bootstrapping mechanism. The moment a root CA gets compromised everyone using a certificate downstream is in trouble. The same would be true of a WoT bootstrapping service, but the duration the certificate needs to be valid would be days or weeks, not years (taking renewals into account).