You are correct, if 12 witnesses so decide, they can block all attempts to replace them. But this is exactly what they were expected not to do when they were added themselves. If a minority of witnesses appears untrustworthy, they can be promptly replaced before they reach majority.
I discuss in the whitepaper a mechanism which helps make the behavior of witnesses more predictable and earlier detect any breaches of trust: a would-be witness pledges to follow the witness lists of a few (possibly larger than 12) prominent industry leaders. The pledge is not enforceable in the protocol but publicly auditable, any breach of the pledge would immediately make the witness a candidate for removal.
"
Prominent industry leaders" sounds a bit to me like "
to big to fail banks". This inherent trust that users have to have in third parties makes me uneasy about the system design and its resilience to abuse. It additionally requires constant attention to the witness list issue and the danger of cartel forming behind the scenes. But I might be wrong and it will work well. Let's hope it will.
Indeed, trusting third-parties just like trusting bitcoin developers, miners, full node operators, and exchanges.
There was a recent medium article by Vitalik, discussing decentralization, bitcoin is technically decentralized, but it doesnt stop humans from forming groups - which we are naturally inclined to do - and groups tend to be centralized.
Byteball has a very novel balance between technical and social de/centralization - which makes it a great success.
https://medium.com/@VitalikButerin/the-meaning-of-decentralization-a0c92b76a274#.ezsb3lcnx