you don't want relatively small(er) amounts of stake to ever be able to elect any witness, and certainly not multiple witnesses
But why not actually?
People use to describe this situation as an "attack", but for me only the ability to put in "one's own" irreversible transaction deserves this term.
What actuall harm can perform one malicious witness?
Even one malicious witness can significant disrupt the chain and cause consensus delays, as well as losses or malfunctions to services which don't wait for many confirmations/finality (which many don't and this usually works because witnesses are not malicious and accidental consensus disruption due to network delays are usually rare).
A single witness can't put in an irreversible transaction anyway, as other witnesses can always replace the block, either deliberately or by accident (above network delays, etc.)
Also, we do have backups, and they can certainly be malicious. So one malicious top 20 is actually two malicious witnesses (which may be the same actor) in a round when a malicious backup is scheduled. The potential for mischief multiplies...