Of course they do. That's why millions of us have been pushing for years for DNSSEC, TLS (hopefully someday with DANE), Tor onion services, RPKI, etc..
A bad state of affairs is no reason to keep going in the wrong direction.
ICANN's DNS roots are flawed by centralization, and DNS itself is a very insecure protocol. However, DANE is still a major progress over the browser CAs, because you can stop trusting random corporations and state agencies (the CAs, who are known to emit fake certificates) and instead trust your naming scheme.
Agreed DNS might not be the best candidate for this. However DNSSEC validation within the LAN (eg. on your local router, not @Google/CloudFlare) mitigates a lot of risks associated, and a new secure backward-compatible protocol like the GNU Name System (yes that's a thing) may eventually overcome those risks entirely in clever ways.
There's literature and actual deployments on tying name resolution to public key discovery in location-addressed protocols (eg. .onion, .i2p..) and it makes entire sense in my view. If such concerns interest you, check out the latest GNS draft RFC: https://lsd.gnunet.org/lsd0001
No, DANE is a step back from CAs. When the Certificate Transparency logs show a CA has misissued, any of Google, Apple, or Microsoft can destroy that CA, as has happened with several of the largest CAs. Meanwhile, not only is there no such thing as Certificate Transparency for DANE, but you also can't revoke .COM at all.
Pretty much every way you look at DANE, it's a debacle.
A bad state of affairs is no reason to keep going in the wrong direction.