@klamkin
Silly question, but..., are/were all other CAs required to meet this assessment?
OR
Are you specifically referring to the actual client software loaded/running on a "secure system"?
[not the CA that provides the certs used by such systems]