How much research did you do for this article? You've pretty much completely overlooked the point of EV.

A badguy can't buy an EV certificate for Paypal.com, because the vetting requirements will lead to his rejection. More importantly, he can't buy one for his phishing domain PayPal-Payments.com, unless he starts a legal company by that name, with the associated record-keeping and registration requirements. The cost is much higher, meaning that he can't buy zillions of throwaway domains/certificates. The money he's paying is spent by the CA on validating his identity and recording that info for future use by law-enforcement, if needed. All of these factors are where the EV value comes into play.

Now, on to your other concerns:

"Users may not see that really cool green bar (proven fact per Stanford and Microsoft)."

It's true that Stanford/MSR did a study where they found that most users didn't notice the green bar. Of course, that was very early in the IE7 lifecycle, before anyone had come to expect EV or know what it meant. Obviously, there's a long learning curve ahead here, but as PayPal and other major companies adopt EV, customers will slowly come to look for it.

<>

It depends on what you consider "spoofed content." EV identifies the owners of domains, in an unambiguous, non-spoofable way. It's not a panacea (obviously) as a XSS vulnerability or other bug in an EV website isn't going to take the green bar away. But EV does effectively attack the problem it aims at-- namely misleading domain names.

<>

Sure, bad guys can easily give hundreds of dollars to CAs to pay the CAs to gather information about the bad guys for future use by law-enforcement, and to spend on ensuring that the certificate requested is not a spoofing attack against another (legitimate company). To me, this sounds like a "pro", not a "con".