Specifically the purpose of CAA is to enable a subscriber (say, the owner of ycombinator.com) to tell trustworthy Certificate Authorities thanks, but no thanks. It is not a message for anybody else. If you're not a CA you don't need to read CAA records.

For example, say you're Facebook, you've got an arrangement with DigiCert where on top of the Ten Blessed Methods of the Baseline Requirements, DigiCert promises to go exclusively through a six man "Certificate management" team at Facebook for all .facebook.com and .fb.com names. Even if Marketing really wants coca-cola-advert.facebook.com they can't get a certificate without an OK from that six man team. Well, (and something similar really happened years ago) the deal you cut with DigiCert doesn't magically apply to every other CA. The Baseline Requirements do, but not your custom deal, so other CAs don't need to know about your rules and may issue coca-cola-advert.facebook.com certificates to the marketing guys who've set up the coca-cola-advert.facebook.com web site just obeying the Ten Blessed Methods.

CAA records are in the Baseline Requirements, and so Facebook can write a CAA which says "Only DigiCert may issue". And if you look with your preferred DNS querying tool, that is exactly what they did. CAA for facebook.com is 0 issue "digicert.com"

If you posit that there are crooks at some other CA issuing bogus certificates, CAA doesn't stop that. The crooks can ignore such a rule, the same way a crook can ignore the "Employees only" sign on a door. But, we can see what the public CAs are doing, so, if any of them are crooked we can notice that and kick them out. For the most part humans, including those running a CA, can be lazy and incompetent but they aren't malevolent.