Re: someone managed to factor the primes
Yeah, this one's a shibboleth too.
(At least the certificates are in fact RSA, so there's a product of large primes to be factored. The original comment would have made even less sense if they were ECC certs. Oh, well.)
In any case, no one's going through the trouble of factoring a decent-sized RSA key for this, when you can buy leaked keys, or a private-key and certificate pair issued erroneously by a CA, for a reasonable price. And you can - see the link in my post above.
Many organizations have very poor code-signing-key hygiene. They have the keys sitting on build machines. They commit them to code repositories (sometimes on public servers like GitHub). They email them around the organization. Attackers who get into the corporate network have a decent chance of finding them, and they're easy to exfiltrate and sell.