A single severe mistake can result the CA being kicked out, but CAs like Symantec were too big to fail, so browser vendors had to spend time and effort to kick them out.

There is CT logs of course. Even if the certs were issued by error or fraud, they must still be included in the log. There must be automated processes scanning these logs and validate the certs (x509lint, cablint, zlint, etc).

I suppose you can check CA CRLs or combined CRLs like Mozilla OneCRL to find recently revoked certs and lint them to see if there were issued with errors.