Internal testing?
I can see that internal testing of certificate creation, validation, revocation etc. can require bogus certificates.
What I fail to understand is why test systems with bogus certificates were exposed to the Internet.
Surely the main issue is the management and firewalling of the test and development systems to prevent them leaking onto the Internet?