Well, that was kinda a big difference between Diginotar and Comodo. Diginotar got hacked, knew about it, then tried to mitigate without telling anyone. Comodo got hacked and disclosed what they knew ASAP. Diginotar was pulled from the trusted root stores and went out of business and Comodo wasn't.

There were probably other reasons for the differential treatment (the scope of the Diginotar hack was bigger, for example), but I think that a lot of them are essentially strong correlates of the disclosure policy (i.e. if you have other responsible security practices, you're more likely to have a good disclosure policy).

Once the death-of-the-company option is on the table, it gives the CA a reason to comply with any lesser punishment.

For example fines, changes to procedures, mandatory security audits, agreeing not to issue certain types of certificate etc - the CA is going to do their best to comply if the alternative is to be put out of business.

Whether we want browser vendors / an industry standards committee to have that much power is another matter, of course.

CA's already have to go through mandatory audits and the procedures they must follow are spelled out.

Unfortunately there's no real procedure you can put in place to prevent hacking, as the NSA discovered to their cost.