The issue here is not about boycotting StartSSL because of their 'vulture-like' business model, it is about whether StartSSL can be trusted by browsers to actually secure connections. It can be argued that StartSSL is not actually providing an acceptable level of security, since the ability to revoke and regenerate a certificate is part of the service that a CA should provide. If StartSSL isn't performing security audits, gives out free certificates like candy, but charges for maintaining security, none of the free certificates are actually known to have any level of security.
There are many websites using StartSSL certificates that could also be using a compromised private key. Should there really be a lock icon in your browser if your connection is not actually secure?
StartSSL does provide revocation and regeneration of certificates. They charge for this service, just like other CAs charge for generation of certificates.
I would much rather StartSSL provide free certificates, even knowing that not everyone whose private key was compromised regenerated a certificate, than have StartSSL pulled from trust stores and thus cause fewer future sites to not have SSL because of the associated cost.
This is more of a problem with the simplistic trust model that is typically used with X.509 and TLS, rather than a problem with StartSSL. The type of security that you are suggesting is similar to opportunistic encryption or decentralized trust. Self-signed certificates are intended to fill this role, however, it is too difficult for the average user to use self-signed certificates securely, so browsers put up a scary warning to protect users from themselves. If cryptographic concepts could be securely exposed to end-users, then self-signed certificates could be used securely. In that case, StartSSL wouldn't even need to exist. Unfortunately in the current trust model that is being used, StartSSL has to exist to fill the niche for people who just want SSL to work. But because of recent events, this creates a problem in which the all-or-nothing security model essentially requires that StartSSL be blacklisted because of their business model.
Keeping in mind that while plain self-signed certs just don't work at all given user-behavior, self-signed certs plus TACK have about the same security level as SSH host keys. If-and-when most browsers have TACK, and most sites use TACK headers, the CA infrastructure will become mostly (though not entirely) irrelevant.
I don't think StartSSL is obligated to provide free stuff. If anything, StartSSL should be obligated to charge money for their service, if they expect to remain competitive. As it stands I think that StartSSL's free certificates do not meet my standards for what the lock icon in a browser should mean.
Security is a lot more complicated than that little lock icon, anyway. Security means different things to different people, devices, and protocols. It's a UX/UI problem. What we need are fresh ideas on how to convey security concepts through GUIs and human interfaces. We need ways of visualizing privacy and trust networks (things like Lightbeam and Collusion), and ways of securely building trust links (things like interactively-verified Diffie-Hellman over NFC, or ssh-keygen's randomart)
Not even sure where to begin with that. You can't simultaneously say we can't trust their certs because they charge to revoke, and say they should be obligated to charge money.
Whether or not their users follow good security practices is not something they can account for. The only way they could account for it would be to force revocation of all previous certificates. The same is true of every other CA. It's incredibly likely that many users of SSL across the board will fail to replace and revoke old certs, regardless of what CA they use.
I agree that there are flaws in the way we currently utilize SSL. But that is a fully separate issue, and not related to "Should StartSSL specifically be considered untrusted". StartSSL shouldn't be singled out to have their business destroyed because the industry as a whole needs to be improved.
There are many websites using StartSSL certificates that could also be using a compromised private key. Should there really be a lock icon in your browser if your connection is not actually secure?