What's the alternative?
For code signing I'm not sure there is much choice but a "golden key". Sure, you can use multiple keys and revoke compromised keys, but that revocation depends on an update being delivered before the compromise. If you started with a bunch of keys, and revoke the old one with each new version you'd reduce the chance that a compromised key could be used before it is revoked, but you'd also eliminate the ability for people to roll back to an older code version so it is really only practical for test builds.
Having a "sign anything" key was simply a terrible decision on Microsoft's part. Sure, it makes testing easier, but how hard is it to have your build system automatically pass the binary to your signing system? If they had the devices "phone home" on a daily basis checking for key revocations, like browsers do, that would have reduced it to the number of devices that haven't been connected to the public internet since the key compromise became known.
Biting the hand that feeds IT
