This could be eased by having backup root keys in escrow, but this is also a risk in that it could be hit by the same problem as the first, and creates a security risk by storing something important without commensurate oversight. Prompt resigning is a business risk, which is generally covered by CAcert's Membership and Community orientation. Most users will not see the new certificates because Vendors have a long cycle to distro new keys.