They'll need to pass a webtrust audit, which covers how they handle their key material amongst others. Additionally the Microsoft, Apple and Android roots have their own extra requirements added.
It always seemed odd to me how strictly CACert is treated given that TrustWave got a pass when they deliberately sold a root CA certificate for man-in-the-middle purposes.
It's almost as if money is more important than key management practices.
Thanks for all the informed info.
I was just always weirded out when my browsers forced me to perform 2-4 clicks because of untrusted connections when visiting websites of say the CCC (who just switched to StartSSL apparently).