Re: "The dodgy software was signed..."
Symantec issue (sell) code-signing certificates to software authors. Those authors then sign their artifacts (executables, DLLs, whatever) before release, so as to allow users/admins (and the OS) to verify that they are indeed legitimate and unmodified. Symantec do not sign artifacts themselves, nor do they perform any kind of per-release code review of their customers' pre-release software.
Symantec (and other CAs) may do some due diligence to assure themselves that the applicant is not impersonating an established code signing entity, and that they are technically competent to keep their certificate safe and only sign things they intend to, but then again, they may not. Certainly, attackers have previously managed to get their hands on legitimate signing keys and certificates and use them to sign malware in the past - various versions of Stuxnet were signed with Realtek, JMicron and Foxconn certificates.