TL;DR: in 2016 Symantec issued unauthorized certs for example.com (owned by ICANN) and a multi-domain cert with SANs for test1.com, test2.com, test3.com... even though those domains are each owned by very different organizations and did not all agree to have a common cert.
It's more than that. The ensuing thread uncovered that Symantec had exercised very lacking oversight over their partners (called Registration Authorities, or RAs) who were allowed to perform certificate validation on Symantec's behalf.
But that's almost 2 years old. Have there been any more recent incidents that I'm unaware of?