In this scenario, where oscp is required and stapled: The CA can simply refuse to reissue the certificate if the host is compromised. It does not matter if it is refusing to issue an ocsp ticket or a new short lived cert.

The use case is to shorten the lifetime of an existing certificate. As long as the server serves the original certificate with the longer lifetime, the browser has no way to tell that it isn’t supposed to be that long anymore, without asking the CA.

Yes, you could restrict certificates to very short lifetimes like 24 hours or less, but that isn’t always practical for non-TLS use cases.