well for EVs only very specific CAs can issue a cert with a green bar. (except for IE because it has a setting for for custom OIDs that will show an EV bar)
if we are talking about a state level attacker one of the few things that does help is abolishing the CAs completely and doing it over DANE, because when for example china wants to manipulate dropbox.com, it wont work because the chinese have no access to the DNSSec keys of the com zone much less the root key).
also when talking about state level attackers that they can probably easily enough forge the security seal. attacing HTTPS already takes enough effort because you need the CAs and the ISPs to do what you say and when doing that you could either create a fake site along with a seal or you just use the data you get, maybe modify it or you just read it and get the passwords etc.
what I means earlier about that you cant fake a cert much less an EV was more meant in regards to hackers and the like, but the main point is taht sich a seal can be faked a lot easier than people think.
I have seen enough sites with just the image of such a sel of even multiple of such seals with everyone just being a picture, probably enough to give the average user who probably doesnt know that you should click these things, and in case of comodos "hover" seals because you arent even seeing whether this pop-in comes from comodo or was just places by the site.
the problem is that any site could try to fake a seal just to get the trust, it doesnt even need an attacker, a random scammer could set up his own scamming site, place a lot of trust marks on it and scam the hell out of the people
another way would be finally starting to restrict CAs , so that not every CA can get a cert for every domain.
Firefox for example has (according to their own data) 169 CA Certificateshttps://wiki.mozilla.org/CA:IncludedCAs
by using a small bit of searching (i use the csv for simplicity and in there we have 94 certs marked as "not ev" meaning that the rest are certs which allow EV certs in there making a remaining of 75 CA Certificates allowing EV generation
I dont know how many of these are tld restricted but I guess that if any that there wont be many.