True, but all that violating that policy does is get them kicked out of Mozilla-operated software (at least directly; indirectly I suspect it causes a lot more hassle for them). Their internal rules say that a certificate revocation requires payment so, by their own rules, they are correct. If Mozilla comes down on them for their rules, StartCom may choose to modify those rules at their option.