The CA/B baseline requirements include storage of the private key on a FIPS 140 Level 3 cryptographic device (i.e. an HSM) so there's a certain minimum degree of assurance there.