[theamk]

Are compromised CAs worse than other software bugs though?

Yes, we have too many CAs, and some of them are pretty suspicious. It would be great to be able to give them TLD limits. But becoming a CA is still very slow and expensive, and certificate transparency will catch bad behavior. So there is a very strong incentive for each CA to be good.

Compare this to random server exploit, which is deployed anonymously and has no direct monetary harm to the maker company.

No wonder there has been very few cases of CA-based compromise compared to good old software exploits.