There’s some rogue CAs that just randomly issue SSL certificates to I wouldn’t say malicious but negligent actors. After some point, that CA may be penalized by being removed by consensus of other root CAs from the root CA list. Basically, the issuing certificate for them for those websites no longer count as secure by a consensus of people who run the root CAs.