This CA is trusted only by Microsoft. I and others have reported problematic CAs to Microsoft in the past (though this particular one wasn't on my radar) only for our concerns to be ignored. Mozilla, Chrome, and Apple have actual standards and don't trust CAs like this.

It's also trusted as an EU Trust Service Provider. https://eidas.ec.europa.eu/efda/trust-services/browse/eidas/... That's basically QWACS. <ins>Ah, of course you mentioned it in the other thread!</ins>

Should Cloudflare have been monitoring CT logs to spot this earlier?

We definitely should have, and that is on us. We'll fix it. https://blog.cloudflare.com/unauthorized-issuance-of-certifi...