I'm not sure if I agree.

You can't easy man in the middle authenticated protocols like SSH or HTTPS.

Unless you own a CA, or are a powerful country able to coerce a CA, or mandate installing one into users' PCs.

As for SSH - you missed the "TOFU" bit, Trust On First Use. Do you verify your SSH host keys every time before connecting to a new server? The docs for GitHub doesn't even mention it.

unencrypted/unauthenticated protocols are on their death bed.

I partially agree - encryption appears to be a solved problem today. Key distribution, however is not, it's layers upon layers of half-solutions of wishful thinking, glued together with hope.

The layers should be independent to allow for maximum flexibility.

Depends on your threat model and priorities, right :) HPKP is helpful and does not require DNSSEC. DANE and CAA are helpful but require DNSSEC.