If those sites should not be allowed to own the domain names they are using, then the registrars can take the names back.
All the DV certificate means is "you are using an authenticated connection to the server that answers for foo.com".
TLS doesn't have anything to do with the ethics, morality, or legality of the site operators.
It's too bad that we've trained laypeople to think otherwise. But, even a phishing site should be served over HTTPS. Otherwise, the user will be vulnerable not only to the phishing site, but every intermediate server that the connection passes through.
In my opinion, there should be no padlock, no visual indicators that a connection is secure for DV certs. The enduser doesn't have to know a website uses HTTPS. The padlock should only show up (along with the company name) when the website uses an EV certificate.
I'm also in the position of running a small online business on the side, and such a change would almost certainly require and upgrade to an EV certificate. While we have thought about it (and I have tried to find some data on changes in conversion rates possibly coming from it), I haven't quite been able to convince myself that the costs and hassle are worth it.
The process may be prohibitively expensive in some countries, or for some very small operations.
I advocate quite often for presenting the other side's the best possible arguments, but I guess that I should include a recommendation to actually engage with these as well. In this case, it doesn't amount to much more than "but still..."
(Not disputing the data.)
Should the CA prevent people from getting certificates for domains containing the names of 'big' websites and corporations? Should browsers make it more obvious that the website has an EV certificate? Maybe also try to detect phishing URLs?
