Which is why root certs are stored in HSMs, there’s a well defined total set of them, and if the owner violates any of the rules around handling of them, the CAB can put them out of business.