It absolutely was a policy misunderstanding in 2012. It is no longer a misunderstanding, since it is now abundantly clear to CAs that they can't do that. It no longer stands.
As far as CA policy goes, 2012 was the very distant past. You might as well accuse Mozilla of poor judgment for allowing MD5 certificates in 2012, it would make as much sense.
The CA did the equivalent of purposefully putting their hand into a garbage disposal unit. You're telling me we should not reconsider them as a root CA because the unit didn't say "don't put your hand into this".
Honestly, I'm not sure how you plan to argue your way around a situation where I ended up with a rogue "mail.google.com" certificate accepted by my browser. That wasn't in the rules?! The CA wasn't clear on the policy for that?
... nobody had clearly explained to you what the specific transaction Trustwave got in trouble for was actually about.
Now you know, so "this will not stand" and "Trustwave stuck its hand in the garbage disposal" shouldn't be germane anymore. Once again: the whole point of those certificates is to sign domains the certificate owner doesn't control. They're sold only to giant corporations with huge amounts of insurance, and they're contractually obligated to ensure they're deployed only on the corporation's own network.
No, that can not stand.