I dunno - there's an argument to be made (which I'm not sure which side I'd come down on" that having a trusted CA say "Oh _those_ certs? They're ones we issued from a no-longer-trusted-root of ours! We can do whatever we want with that!" is at best disingenuous and quite possibly just timeshifting abuse of trust. The "trust" lies in the organisation, not in the individual certs. Pulling them from the root program shouldn't absolve the organisation from continuing to treat them as security-critical and shouldn't absolve them from abiding by the rules for them.

I don't want to pick on Cloudflare or Comodo right now (see my other comment in here), but if someone were to propose a rule change that says a CA's trust obligations extend to all their old retired trusted roots as well as their current and future ones, I'd be inclined to agree unless I heard a very convincing argument against it (that had some strong protections in place to stop some of the obvious abuse possibiulities).

Thought experiment: what'd happen to a CA with root trust, if they negotiated to update a root cert, replaced their old one in all the trust stores, then sold their old private key to $badpeople?