> We've seen this happen with TLS certificate authorities
Have we? I'm going to assume that you mean CAs in the Web PKI and not just "My friend Bob runs TLS and this has happened to the CA he was running on his Windows 10 laptop".
The last CA where we had a really grave problem was DigiNotar, in 2011. It seem _very_ unlikely that the problem at DigiNotar was full key compromise, instead bad guys appear to have penetrated the issuance infrastructure. This means they were able to (and did) issue themselves arbitrary certificates, but it did not give them the actual keys as you've said "happens frequently".
Since then we've seen a variety of unacceptable behaviour, including issuing backdated certificates to conceal the (also problematic) choice to continue doing something that was no longer allowed in new certificates, and issuing "test" certificates which would have been trusted by real client software even though their contents were known to be false. All unacceptable, and all having consequences (for example Symantec is no longer a CA) but all far short of "vendor has the keys stolen or leaked by a disgruntled employee".
Have we? I'm going to assume that you mean CAs in the Web PKI and not just "My friend Bob runs TLS and this has happened to the CA he was running on his Windows 10 laptop".
The last CA where we had a really grave problem was DigiNotar, in 2011. It seem _very_ unlikely that the problem at DigiNotar was full key compromise, instead bad guys appear to have penetrated the issuance infrastructure. This means they were able to (and did) issue themselves arbitrary certificates, but it did not give them the actual keys as you've said "happens frequently".
Since then we've seen a variety of unacceptable behaviour, including issuing backdated certificates to conceal the (also problematic) choice to continue doing something that was no longer allowed in new certificates, and issuing "test" certificates which would have been trusted by real client software even though their contents were known to be false. All unacceptable, and all having consequences (for example Symantec is no longer a CA) but all far short of "vendor has the keys stolen or leaked by a disgruntled employee".