That was true when the Internet only had a handful of websites using SSL.
But even before Let's Encrypt, CAs' cheapest certs (DV) only validated DNS records.
Even the most expensive certs, EV certs, could be spoofed:
Turns out CAs aren't the right tool for stopping malicious sites on the Internet.