The sh*tshow just gets worse:
https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/wxX4Yv0E3Mk
If there’s a lesson to be learned here (other than that a commercial CA doesn’t offer any better security than a free CA like Let’s Encrypt), it would seem to be this: the fewer parties that are involved in your cert issuance, the better.