Either the CA was complicit, or they weren't secure. Regardless of which it is, the CA's root certificate is not trustworthy.
If they were hacked into, spoofed into giving out a certificate, or raided by special forces and had data physically stolen from their servers, then perhaps they can generate a new key and have that become trusted once they've taken steps to ensure something like this doesn't happen again.
But there's no way anyone can trust their old root key anymore.
