Most major (non-embedded, I suppose) OSes have some framework for periodically updating the certificate store. It's not necessarily a full redeployment of the OS.

Mac OS and Windows both are capable of receiving new root certs via the OS update process. Apple says it updates certs approximately once per quarter:

https://www.apple.com/certificateauthority/ca_program.html

I think there is a pretty strong argument for treating a bad CA like a zero-day vulnerability and "fixing" the problem through a security update that un-trusts the cert. However, to date neither Apple nor Microsoft have been especially aggressive in this regard.

Google has taken a somewhat freer hand towards badly-behaved CAs, but they really only control Android: Chrome uses the OS's trust store, rather than its own (as Firefox does). They could presumably change this, and I'm sometimes unsure why they don't, but I guess it has to do with enterprise-environment interoperability. At some point if Chrome were to become the dominant browser, such that they could dictate terms to enterprise customers rather than the other way around (or if web apps really did take over the world to the point where the keystore outside your browser is essentially irrelevant; cf. Chromebooks), maybe they would reconsider this decision...

While Chrome technically does not have the kind of root program that other OS or browser vendors run, they have the ability to revoke trust for specific roots, plus other things, like enforcing CT for specific CAs. Given that there's already a root program that's being run transparently, there's not that big of an incentive to run yet another root program, IMO. Plus, while I'm extremely happy that Mozilla is running their own root program for various reasons, using existing OS APIs for these things seems like the cleanest approach (if you can't trust your OS to make these decisions, you probably have bigger problems and shouldn't run that OS anyway).