So CAS records are supposed to keep a CA from issuing a certificate if the CAA record exists and doesn't have that CA.

However, this is relying on the CA to properly check the record. If the CA has a bug where it isn't validating properly, they could also fail to check the CAA properly. Also, this doesn't help against a malicious or compromised CA.