I'm quite pleased to receive a A- :-)
The reason for not disclosing anything before is perhaps quite easy to understand. Minor events are logged in the ongoing events logs and no further actions are required. Events in the magnitude of issuing a certificate wrongfully due to a bug and which requires modifications to the systems, require detailed reporting (as seen in the "critical event report"). Those reports were reviewed in time by relevant parties and will be presented to the auditors during auditing. A major event like a CA key compromise (we don't sign directly from the root) would have to be made public and handled according to the "disaster recovery guidelines". In such an event, all software vendors, subscribers and the general public must be informed immediately.
The event which happened recently wasn't a major event, but obviously important enough to act accordingly and issue the critical event report. Important to note that no third party could have relied on and have taken damage. Therefore the resolution was appropriate. The disclosure was done in order to prevent any rumors and false accusations about what did and what not happened (once it was published by Mike).