So if a CA offers a certificate to a legitimate wordpress site, which then proceeds to let itself get hacked and host a phishing page, that CA now has to pay a fine?