It's Symantec's past operation of the CA that's untrusted by Google, and in fact one of the proposals was that Symantec make a new CA and cross-sign it with their old one, which would maintain compatibility for previous customers that pinned the Symantec root as well as customers using up-to-date browsers. So if the setup here is that DigiCert signs their own CA with Symantec's, then everyone's happy: DigiCert gets the customers, the community believes DigiCert is competent, and old Symantec customers get business continuity. It possibly makes more business sense for Symantec to sell their root to a trusted CA than to continue to operate it.
And I think it makes sense for DigiCert to buy it: Symantec's customers are people who are clearly willing to pay too much for even a low-quality certificate because they let Symantec consultants set up their trust infrastructure years ago and have no idea how to modernize their infrastructure. If you want a target market of people who will pay lots of money for CA services despite the presence of free services like Let's Encrypt, Symantec's existing customer base is a perfect fit.
I work in the financial infrastructure space, and while I'm no fan of Symantec, using Let's Encrypt would get me laughed out of the room by compliance and our auditors.
Some checkboxes are ceremony, some have real purpose. One size does not fit all.
I suspect your auditors have no real reason to object to Let's Encrypt (do they understand that Let's Encrypt is equally capable of issuing a false certificate under your name? does your security rely on the browser PKI? how did every single company in the browser PKI get okayed by your auditors?).
You have a perfectly valid reason, which is that your auditors want you to buy an expensive certificate to make them happy, but you're still paying more than market ($0ish) for SSL, which means you're a good customer for DigiCert to have acquired.
BTW, if you want to save some money, try sending your auditors the WebTrust audits that Let's Encrypt has passed just as well as Symantec (if not more well, see mozilla.dev.security.policy): https://letsencrypt.org/repository/
Happy to do this over beer, but I'm not sure I understand which of the SCI rules would determine which CA you use.
I'm a little amused (not at you, but at the absurdity of the whole process) that we're talking about CA selection for products that almost definitely can't even properly quote and unquote a FIX field separator from user input.
As I mentioned above, when Symantec bought Verisign it was making over $440 million a year in profit (not revenue, profit).
Buying up their customers like this is huge for Digicert. They're getting a huge influx of paying customers at a steep discount. I'd expect Digicert to make billions off of this deal over the next decade.
And I think it makes sense for DigiCert to buy it: Symantec's customers are people who are clearly willing to pay too much for even a low-quality certificate because they let Symantec consultants set up their trust infrastructure years ago and have no idea how to modernize their infrastructure. If you want a target market of people who will pay lots of money for CA services despite the presence of free services like Let's Encrypt, Symantec's existing customer base is a perfect fit.