They have shown that they can not be trusted. They must lose the power to do this.
Pull someones certificates or kill some CA. Someone needs to suffer because of this.
What happens now is that there's an investigation. Depending on the outcome the CA may be revoked for good, or merely forced to reissue lots of certificates. The deciding factor is the reason for the screwup - for instance they may have got hacked, rather than been actively corrupt. In that case Microsoft will have to decide if they have patched things up enough to continue as part of their root store program or whether to pull the plug. I doubt many people have certs issued by this CA so the damage would be relatively minimal.
Unfortunately you can't just kill any CA that screws up. For one, if the CA was widely used it'd be disrupted. For another, nothing is unhackable, especially when you get the NSA involved. Expecting CA's to be able to reliably fight off professional hackers from dozens of governments and never ever fail is likely an impossible standard to ever meet.
Hard decisions ahead for browser and OS makers for sure