That's the thing--it doesn't. The CA is just a method to guarantee the security of your connection to the server.
If you are crossing a suspension bridge, do you not want to confirm that the planks are not rotten, even if you cannot confirm condition of the ropes?
Valid connection doesn't mean that the server has not been compromised. But in that case most of the hope is already lost.
Compromising the connection in some way is way more easy than taking control of the server (hopefully...).
Authenticity of
the connection, is an important step towards security. Who has control of the server doesn't matter if you cannot be sure that you are even connecting to the right server, even if the original server was held by its intended owner.
Just because you cannot prevent something 100% doesn't mean that you shouldn't do the prevention of 99%
Sites like letsencrypt are absolutely no different than having a self-signed certificate in terms of whether the site you are connecting to is safe or valid.
You are either absolutely wrong or terribly , because that is not true.
The sole reason why CA's exists is that they help to verify the authenticity of the certificate and connection. And it has pretty good track records, billions and billions of CA verified https connections being made every day but not often you see these root certificates leak or something. Banks use them, governments use them etc. Is this all just a conspiracy of some greedy CA root holders? I doubt it.
Do you understand the problem here?
The problem is that I cannot know in any way if the certificate that this site offers to me really is loftars certificate, or if my connection to server has been compromised in some way, and it is a certificate offered by that malicious connection? If the certificate offered was signed for example by lets encrypt root certificate, I would have pretty strong reason to trust that either the connection is real or the certificate has been compromised, which is way more difficult to do than to compromise the connection. I could call loftar if I knew his number or send him email and hope to reach the real loftar who can then verify this simple fingerprint of 100 characters to be valid. But that is just very inconvenient because there are many users that frequently use this site, they cannot all call to loftar.