I would be more worried about other OS projects that are either too disorganized to meet whatever the signing qualifications are, or have ideological issues which prevent them from participating.
Canonical doesn't enforce signature checks for module loading (which is useful for DKMS based kernel modules, and is also a "freedom to tinker" matter). That may well lead to a revoked Secure Boot key at some point...