This isn't a minor screw-up. This undermines the very purpose of a Certificate Authority.
I'm astonished that Google is giving them another chance, and that this isn't headline news everywhere.
There should a zero-tolerance policy for certificate authorities. Generating unauthorized certificates is a major breech of trust, and generating hundreds of them for an important and privacy-critical service such as Google is beyond any justification.