Signing (intermediate) certs have been compromised before. That means a bad actor can issue fake certs that are validated up to your root ca certs

While you can invalidate that signing cert, without useful and ubiquitous revocation lists, there’s nothing you can do to propagate that.

A compromised signing certs, effectively means invalidating the ca cert, to limit the damage