Not sure what is more shocking:
A CA having 23k private keys of their customer's certs and the CEO emailing them: http://blog.koehntopp.info/index.php/3075-how-not-to-run-a-ca/
A CA having a website which allows RCE as root, from a website input: https://arstechnica.com/information-technology/2018/03/trustico-website-goes-dark-after-someone-drops-critical-flaw-on-twitter/
I'm just speechless.