The rules and audits don't seem very effective: it's not just Diginotar that has been caught issuing rogue *.google.com certificates, but to my knowledge it's the only one that got removed from root stores.