Pinning is an unscalable hack around the core problem.
Google adds a whitelist of public keys to Chrome upon request, only for high impact sites. Firefox does the same, with a different list. Safari doesn't support it at all. IE supports it in a useless fashion.
This is totally unworkable in the long term. Broader support also opens it up to smaller (less savvy) sites who will inevitably get bitten by a lack of foresight. "Oh, I only authorized GoDaddy and now I use Entrust...". However, set too broad a list and you've just given an attacker a list of targets to pick the weakest link from, possibly not dissimilar from choosing a target amongst "all CAs clients support".
The manual method is not the only way, and it's always been apparent that it was not the end game. HSTS and HPKP are important steps forward, and support is decent. As always though, IE is a useless impediment to progress.
https://projects.dm.id.lv/Public-Key-Pins_test
It's going to be a while before HPKP is everywhere, but it's definitely a better approach.
Pinning eliminates CA's by eliminating the agility they provide. Not inherently an awesome deal.
