They should collect enough up front to make the revocation pre-paid. Refusing to revoke certs results in an unsafe internet and ruins the value of the entire service they are supposed to be providing.
Ensuring that valid certificates issued by them are only used by legitimate owners of the corresponding domains is their obligation.
Unfortunately, it seems as if Mozilla doesn’t care about the security of their users, otherwise this sorry excuse for a CA would have been dropped from their trust store already.
