But with DNSSEC, that is no longer the case, because the credentials you need to modify DNS are typically kept offline (in admins heads or some other safe place). There's no reason for them to be online.
I suppose you are saying "to modify SSL" you only need control over the site because of the way EV works. But "to modify DNS" you would need offline credentials. So far, I can follow.
Even if your entire online serving setup is compromised, DNS can stay secure. So if DNSSEC/DANE was implemented as a secondary form of PKI in a future version this use case would make a lot more sense because the payment request signing key could be placed in DNS.
Not sure if I get the point here. The payment request signing key can not be
replaced because it is in DNSSEC but it's private part would still be
compromised, right? I guess the term "payment request signing key" confused me and you mean the private part to be offline, too.
For the design of the payment protocol, I would certainly like to see the PKI as easily exchangeable as possible. And even allow several PKIs in parallel. The bitcoin client should then display to the user for which PKIs authentication was successful, and for which not.