They were being honest. Were they the only ones?
What about the 650-odd other CAs in the list? None of them ever did any of that? Not even for "certified secure, honest" black box DLP systems? Never evar? Really?
On a tangential note, it would be quite useful to have a signed-by-a-CA certificate that allows you to generate certificates for your own domains at will, only you won't get that because a) it wouldn't make CAs as much money as you ponying up hundreds of dollars for each of your (sub)domains, and b) exactly this problem of being able to issue anything you like. In fact, I'd say CAs being able to do that is a problem in an of itself, too. So this problem is something to address in any possible successor to this SSL CA hierarchy thing.
In the meantime, a critical constraint that requires subcertificates signed by this certificate to have (one of this list of) domain(s) as parent would be good. That is, if this certificate lists .example.com as a subcertificate constraint then any subcertificate must be for something ending in .example.com. If you want hierarchies, then best leverage what you got. Sheesh.