Frankly, I'd be stunned and concerned if any outfit *didn't* revoke CNNIC's validity for this lot.
"Unacceptable"? Fortunately, CNNIC, you don't get to decide whether to accept things or not: we do, based on defaults from Chrome and others. It's CNNIC and their fake certificates which are not acceptable any more. Inexplicable? Well, that would be the suicidal decision to abuse that trust to issue a bunch of fake IDs, or enable a third party to do so with your implied approval.
Looks like we need a tougher auditing regime for these CAs, if not an alternative scheme entirely; I rather like the DANE DNSSEC approach for regular certificates. Maybe limit the current CA system to EV certs instead, and be much more restrictive about who can issue them.