Three concerns immediately spring to mind:
1) Why aren't companies putting in the proper controls to protect their private keys from both malicious attack and accidental disclosure.
2) Why don't Microsoft / Apple / Symantec / CAs etc. have the correct checks in place to ensure these companies and the whole ecosystem are properly secured.
3) Once there is a compromise, where are the processes to respond with the issue in a timely manner, for example revoking the compromised certificates / notification etc.?