There are various attack vectors that allow spoofing of those creds without access to the private key.
What such an attacker can't likely do is answer an on-premises phone call from an extended validation CA to get a new cert for the domain in question.
Don't get me wrong -- letsencrypt is a good thing for encouraging at least the possibility of security among those who cannot afford a real CA. But no fully automated system will ever be able to offer better guarantees than a staffed-up CA (not that all staffed-up CAs actually add much value, but some do). Nor are they necessarily less likely to do what Symantec did... an internal actor could issue certs willy nilly. Breakdowns in internal checks and balances in any organization can occur. CAs will succeed or fail based on their ability to prevent them.