1. A lot of businesses comply with law enforcement requests without a court order.
2. If you are capable of doing this, you are also capable of attacking the automated verification methods that low-assurance/domain-validated CAs use. For example, if you can spoof DNS for a domain, you can send the CA MX records that direct all validation email to the domain to your own server. Or, if you're a government, you can work with the target's email provider and/or domain name registrar and/or anybody else willing to help; then they could get forged certificates without the cooperation or knowledge of the CA.
2. If you are capable of doing this, you are also capable of attacking the automated verification methods that low-assurance/domain-validated CAs use. For example, if you can spoof DNS for a domain, you can send the CA MX records that direct all validation email to the domain to your own server. Or, if you're a government, you can work with the target's email provider and/or domain name registrar and/or anybody else willing to help; then they could get forged certificates without the cooperation or knowledge of the CA.