Code-Signing Keys

I'm aware of several instances where the private, code-signing key of a company has been compromised. But D-Link seems to have saved the bad guys some effort by publishing their private key themselves:

http://arstechnica.com/security/2015/09/in-blunder-threatening-windows-users-d-link-publishes-code-signing-key/

Three concerns immediately spring to mind:

1) Why aren't companies putting in the proper controls to protect their private keys from both malicious attack and accidental disclosure.

2) Why don't Microsoft / Apple / Symantec / CAs etc. have the correct checks in place to ensure these companies and the whole ecosystem are properly secured.

3) Once there is a compromise, where are the processes to respond with the issue in a timely manner, for example revoking the compromised certificates / notification etc.?