[sigzero]

I don't think it is dick behavior at all. That has always been their policy. They have no control of the software originating the problem. It is up to them to wave or not but not choosing to doesn't make the anything but a business.

[Karunamon]

So it's a business. So it's policy. Those are not defenses.

A CA profiting from a vulnerability is a fairly perverse incentive, too.

[lotsofmangos]

What else do CAs profit from if it isn't security vulnerabilities?

Their whole purpose is to help with the authentication side of security. They didn't force anyone to use buggy code written by a third party and it is not their fault that many of their customers have gone and done so.