It's correct that if root CA is compromised you can make fakes.

To protect against this attack browsers should warn when certificate changes, there even is a long standing bug for firefox in mozilla:

https://bugzilla.mozilla.org/show_bug.cgi?id=471798