And if it is a publicly trusted CA, it now gets to explain to browser and OS vendors how it managed to fail to comply with a required policy. (although there's of course difficulty in proving that a DNS entry existed)