Why involve a CA at all?
Why would an enterprise need to involve a public CA for web snooping? In 10 minutes, an admin could create his own CA using subject/Issuer information identical to Verisign. He would then roll out the spoofed CA to the truststores on corp assets (your workstation), place the cert on the corp's proxy, and use the proxy to snoop. The users wouldn't see a warning, since their browser/e-mail client trusts the bogus CA already. If the user got curious and clicked on the browser's padlock icon (or moused over it) he would see verisign's information. Only the serial and hash would differ.
Basically, a legit admin would have no reason to obtain a certificate or device as presented in the article because the admin already has access to the client's CA truststores and the proxy. The only systems that could not be snooped would be devices that were not owned by the enterprise or accessable to the admin (if a client device is BYOD). He wouldn't want to undertake the latter, as it would/should put him in jail, which is where the admin and CA should be right now, having openly admitted to a crime.
Intentionally intercepting secure communications between devices you do not own is a crime. Saying "I'm Sorry, we were misguided" afterward doesn't fix things. It is as if your post man read all of your mail with the permission of the postmaster and then said "I'm sorry".