You said "no longer protected" which is what I'm trying to understand. All of those sites would suddenly have invalid certificates, sure, until they fixed it. But the interim period where they have invalid certificates is no more dangerous or insecure than the period before or after. The sites become less accessible, but they remain equally safe (or unsafe).
The CA itself wasn't demonstrably compromised. They issued intermediate CA certs, which makes them untrustworthy as someone who holds the power to issue intermediate CA certs, but doesn't necessarily undermine the trustworthiness of certificates issued through them directly (rather than through their bad intermediate certs), as their bad certs are not part of the chain of trust for end-user certs issued directly through them.
