My question was why this "regulatory agency" (without statutory powers) believes it is completely acceptable to cause direct harm without any discretion on the size of the risk.
What of the much greater potential harm of allowing non-compliant CA's? A CA's 'customers' are not just the people it sold certs to but also everybody on the internet who uses a browser. One way to read this incident is as a story of this inherent divided loyalty.
