You didn't answer my question. What would the CA fixing it look like? Your hosting example had the company fix problems, not ignore them.

And have you seen how many actual security problems CAs have refused to revoke in the last few years? Holding them to their agreements is important, even if a specific mistake isn't a security problem [for specific clients]. Letting them haggle over the security impact of every mistake is much more hassle than it's worth.

> if you had automatic certificate rotation in place - you paid $500 for a 12-month certificate because you don't

Then in this hypothetical I made a mistake and I should fix it for next time.

And I should be pretty mad at my CA for giving me an invalid certificate. Was there an SLA?