Tor has a couple of problems and isn't very different from a security perspective to the SSL hierarchy.

One is that people obtain Tor from a regular website, which is only guaranteed to be secure via SSL. So there's a bootstrapping problem.

Another problem is that on Tor, addresses are meaningless so it's easy to MITM people with phishing attacks. Silk Road tried to solve this by brute forcing an onion key with their name in it but phishing was still pretty common. Also the Tor developers are considering a new hidden service protocol that would make the onion addresses a lot longer, at which point brute forcing a prefix would not achieve much beyond requiring phishers to match the brute force because the suffix would be un-memorisable.

The problem of binding a human understandable and memorisable name to a public key is what certificate authorities are for. Tor doesn't solve that problem or even try: it just assumes you have a way to obtain the public key (onion address) for the website in a secure manner and punts on the whole issue of how that happens. Silk Road had a key hash that was short enough that you might be able to tell it to someone using your voice and have them remember it, or you could write it down, but that's certainly not any guarantee - Zooko's triangle posits that you can have an identifier that's secure, or memorable, but not both.

There's also some other more practical issues: one is that websites aren't going to migrate to Tor just to avoid certificate authorities, so the payment protocol has to work with the regular internet, which means X.509.

Another is that Tor is more centralised than the certificate authorities are: there are only seven directory authorities, and Tor is largely funded by the US government. There are about 100 independent CAs spread around the world and they're funded by their users.

(edited to remove erroneous statement)