Interestingly, having issued the certs would not get them the ability to decrypt the traffic. A cert request does not include the private key, so not even the CA can decrypt traffic under certs it issued.
What they could do would be to issue additional, apparently valid, certs, to themselves - for which they would control the corresponding private keys. To make use of those, however, they’d have to redirect traffic of interest to their own infrastructure and conduct a man-in-the-middle attack.
