Your described situation is a security risk inherent in posting payment destination details for any payment system, not just Bitcoin. If a charity were to post bank wire information or a PayPal account, it's just as vulnerable.
Bitcoin is actually somewhat ahead of the pack here because of the ease of creating new payment destinations. Ideally, each new payment should be received at a new address. This helps the receiver determine when a payment has come through absolutely. The charity would have something that creates a new address for each donor, and then makes the private key available for spending somehow (or just use one of the established payment provider services that will do this for you).
As an aside, having any payment destination information be inside a digitally-signed block of text would greatly increase its authenticity. Bitcoin provides this signature system out of the box, but it is greatly underused!
Except, many payment processing applications provide recourse in the case of a fraudulent transaction. BTC at its core cannot enable this. Can a CA be used for generation of the public-key under a commercial merchant? – Michael – 2013-05-17T17:18:51.373