IMHO there's an opportunity for a lot of disruption in the CA industry. Managing a lot of certificates gets out of control pretty quickly and if they build a system with decent hierarchical authentication you can start to see a situation where large companies might opt to use them for most (or all) certificates. Put another way, imagine being able to log into your dashboard, create a sub-user and assign permissions for that sub-user to issue certificates for subdomain.example.com.

You can limit certificate issuance to a single issuer via CAA in DNS, so you could set your domains to use ZeroSSL exclusively and ZeroSSL could validate ownership of a domain to allow you to create that hierarchy.

I can think of a lot of value added services that can be sold alongside SSL certificates. One example would be CTLog monitoring including for lookalike (FACEB00K) issuances.

The other thing with SSL is that a lot of people equate it with domain security, so I think there's a certain level of domain monitoring that could be sold alongside certificates. Things like domain expiration monitoring, registration of lookalike domains, NS changes, DMARC reporting, etc. all start to feel like a single "domain security" service.