Any competent CA uses an HSM. I can even imagine using an HSM is a requirement for inclusion into the default CA bundle in webbrowsers.
An HSM is a Hardware Signing Module. It's a piece of hardware (supported by OpenSSL, by the way) which holds the secret keys. Secret keys cannot possibly be copied out of the HSM, except for backup purposes. But the backups are encrypted within the HSM itself, so the backed up keys can't be used for signing.
Diginotar, as most CA's I know of, uses multiple secret keys. One key is used for automated signing, typically used with Domain Validated certificates (blue address bar in your browser). For this key, a passphrase is kept somewhere available for the automated process, which of course is unsafe. Another key is used for higher security certificates. This is why not all certificates issued by diginotar are untrusted now. The certificates used by the Dutch governement for example, are signed with another key than the compromised key used for *.google.com.
So, nobody got hold of the private key -- it's safely in the HSM. Not all of Diginotar is untrusted, just the key used for signing *.google.com. Removing Diginotar entirely from browsers is a bit of an overreaction. It also causes distrust of certificates not signed by the key used for *.google.com. This includes the central Dutch identity service, DigiD. DigiD is used for authenticated the inhabitants of the Netherlands to websites operated by the governement, so removing the entirety of Diginotar from browsers has a very large and unintended side effect.