This is true but those governments already control the domain name system, so they can yank or redirect your domain. You're already trusting the registry so why not have them sign your certificate? There's nothing stopping your from pinning it later, too.
Also, that way you could limit your trust to one entity per tld. Unlike today where any CA anywhere in the world can sign any certificate.
I feel like I have to keep saying this over and over: no, you do not rely on the domain name system for security. TLS was designed to assume that the DNS was totally insecure.
Yes, world governments can yank GOOGLE.COM so you can't reach it at all. But what they can't easily do is stand up a different MAIL.GOOGLE.COM and reliably collect people's mail.
However, if were were stupid enough to stick TLS certificates into the DNS...
The trouble with the idea that TLS assumes DNS is "totally insecure" is the numerous CAs that will issue certs based on proof of control over the domain name -- as observed by the CA.
So while TLS itself doesn't trust DNS at all, PKIX does! CAs may well have google.com on a blacklist, but if someone could "yank" matasano.com and point it at their own server, they could most likely get GoDaddy to issue them a cert based solely on their control over that server. GoDaddy's existing test for the legitimacy of a certificate issuance request is the ability to post a text file with specified contents on an HTTP server pointed to by the subject CN.
(For that matter, the attacker who took control of the matasano.com zone could then publish MX records allowing them to intercept any verification or confirmation e-mails to the whois contacts.)
I agree that the model doesn't work at all right now without pinning, though for the adversaries I'm concerned about, it's still strictly better than DNSSEC.
Without pinning, keys in authenticated DNS (like with DANE) are strictly better than CA certificates, because the CA certificates are themselves issued on the basis of (even unauthenticated!) DNS data.
I find it hard to believe that a government agency couldn't easily present a forged certificate perceived as valid by popular browsers if they were so inclined.
Couldn't you also pin a certificate if it was distributed over DNS? DANE would make setting up ssl simpler for operators of small sites while not compromising the ability of big players, like Google, to deploy their own security mechanisms.
Also, that way you could limit your trust to one entity per tld. Unlike today where any CA anywhere in the world can sign any certificate.