CT certainly helps. But it doesn't solve everything:
- It only helps for clients that check CT. The
jabber.ruattack I mentioned was against XMPP clients, and I'm pretty sure none of them check that certs are on CT logs. (In that particular case the certs were logged anyway, but one could imagine an attack involving a CA that allowed for certs to not be logged.) - It only detects unintended certificate issuance after-the-fact. So there could be plenty of time that traffic is being intercepted before someone notices something odd about the certificate.
- There's no indication of who requested a certificate, so it's not like anyone outside of the domain owner has any idea which certificates are "legitimate". (And as can be found on several posts here, oftentimes the domain owner doesn't fully understand which service providers they're using can, should, and are getting and using certificates on their behalf.)
- They're engineered mostly around ensuring the append-only nature of them is kept, and not organized in a way that makes it easy for people to monitor their domains. There are several services to help aggregate, monitor, and search them, but I suspect they're not used by most domain owners. And often, as per the last point, it's hard for domain owners to understand what they're seeing, as ideally certificate renewals are all automated so they don't know what or when certificates should be issued. (There are many posts here where people got confused as Cloudflare's CT monitoring told them a certificate got issued, but didn't make clear that it was a certificate that Cloudflare itself requested in order to handle their domain name as they desired. That's just an example, and I don't think the issue is really limited to Cloudflare)
CT is definitely better than nothing, though, and there are certainly people working on ensuring that it can scale up and improve.