> But what we were never asked was whether old certificates were cancelled... which in that system they were not. So it didn't matter how many times we rotated our secrets, any old or leaked secret in a backup or elsewhere was still completely valid. But we had met the security theater that those rotations happened.

Huh? You haven't "rotated" your credentials until the old ones are invalidated. Adding new credentials isn't a rotation.