Pen-y-gors: Not normally as bad as it seems...
There normally are systems in place to prevent exactly what you described (when we last renewed our certificates we had to, among other things, prove that the domain we wanted the certificates for belonged to us) but this is on the front end for customers.
Technically there is nothing to stop any CA issuing certificates for any old domain, it is only their policy and procedure (and the programming of the ordering system) that stops it happening. Once you have hacked into the back-end of a CA with access to sign certificates 'manually' (i.e. not as a customer) you can do what you want.
Also, DNSSEC 'solves' this problem by putting the SSL certificate in the DNS (if you control the DNS you control the domain. Even if you can make new valid certificates you can't put them into the DNS without control of the domain [or compromising the DNS provider ;])
Paris just because...