> Individually, any one of the failings described above might be understandable. Taken together, they point to a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security.

Microsoft’s products and services are ubiquitous. It is one of the most important technology companies in the world, if not the most important. This position brings with it utmost and global responsibilities. It requires a security-focused corporate culture of accountability, which starts with the CEO, to ensure that financial or other go-to-market factors do not undermine cybersecurity and the protection of Microsoft’s customers.

> Unfortunately, throughout this review, the Board identified a series of operational and strategic decisions that collectively point to a corporate culture in Microsoft that deprioritized both enterprise security investments and rigorous risk management. These decisions resulted in significant costs and harm for Microsoft customers around the world.

> The Board is convinced that Microsoft should address its security culture.

[0] https://www.cisa.gov/resources-tools/resources/CSRB-Review-S...

In any case, you're free to remove Microsoft's certificates and enroll your own.

This latest event just continues Microsoft's track record of being a security problem rather than having their shit together. :(