I think it's a failsafe to prevent just any Joe from revoking your cert. If you hold the private key then you have the private key whether or not you should. It's a bit like unlocking the house then triggering the alarm system.
I've called Wells Fargo for months about someone setting up their account using an email address for a domain that I own as their security email. Wells Fargo won't do anything to fix the situation despite my proving that the email address is compromised. As the controller of the email account, I should be able to declare the compromise, but Wells Fargo won't allow it since I don't own the account. Stupid, huh?