The TLS guarantees are to the edge of the infra of the vendor. If that vendor has decided to use infra providers that issue certs for them without their knowledge and they have not implemented CAA then the blame is not on TLS, it is on the vendor. A lot of what you mention can be explained by cloudflare issuing certs for customers without them knowing when using their DNS, an agressive WAF or other much more plausible things.