What is the relationship between the revoking list and OCSP Stapling?

@JamesLE Once again, I don't know much about OCSP, but I have a simple question.

My understanding is as follows.

• (a) All certificates in the revocation list have been revoked at the latest on Feb 2 (GMT).
• (b) However, there were still URLs that we can HTTPS connections.
• (c) For example, https://www.sea-mew.jp/ is applicable:
• (d) The reason of why we can access is that the OCSP Response is being sent out from the server (OCSP Stapling)
• (e) I thought that was only before the "Next Update" of OCSP Stapling, but apparently not.
• (f) By continuing to send out OCSP Responses that are past due of Next Update, you can continue to allow access after the certification was revoked.

{
    "serial": "0327DE233A59025180811F2B05114C3E62A7",
    "domainName": "www.sea-mew.jp",
    "subjectAltName": "DNS:www.sea-mew.jp",
    "CA": "Let's Encrypt",
    "notBefore": "2021/12/16 10:22:11",
    "notAfter": "2022/03/16 10:22:10"
}

$ TZ=GMT date
Thu Feb  3 15:35:15 GMT 2022

$ openssl s_client -connect 'www.sea-mew.jp:https' -servername 'www.sea-mew.jp' -CApath /etc/ssl/certs -status < /dev/null 2> /dev/null | head -n 19
CONNECTED(00000003)
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = R3
    Produced At: Jan 27 14:22:00 2022 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
      Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
      Serial Number: 0327DE233A59025180811F2B05114C3E62A7
    Cert Status: good
    This Update: Jan 27 14:00:00 2022 GMT
    Next Update: Feb  3 13:59:58 2022 GMT

$ ag www\.sea-mew\.jp tls-alpn-01-affected-certs-by-regID.csv 
275393:49720356,"0327de233a59025180811f2b05114c3e62a7","2022-03-16T01:22:10Z","www.sea-mew.jp"

My questions are as follows.

• (Q1) Why can I access to https://www.sea-mew.jp/ as of 3pm on Feb 3 (GMT)? Is (f) the reason?
• (Q2) If (Q1) is correct, then why can't I access to https://sea-mew.jp/ ...? What is the difference between sea-mew.jp and www.sea-mew.jp regarding OCSP or certification?
• (Q3) Why are some URLs still we can access after revoking the certificate, and was there no way for Let's Encrypt to make them inaccessible? Is the OCSP Stapling mechanism vulnerable to the certificate revoke process?

I would appreciate it if you could answer my question.

In the process of researching these on my own, I found the following past thread.

• OCSP server sending expired responses + stapling breaks Chrome
• Expired OCSP responses, December 12

I see that the same thing has already been discussed.