It is totally believable to me that this was an "honest" mistake, and symmantec's description of their response sounds correct. CAs can and do have stringent access policies governing the use of their signing certificates, but eventually some employees have to have access to those systems for various reasons for the business to actually function, and people make mistakes and do stupid things.
Both. Symmantec definitely screwed up here, but the system is pretty bad and prone to errors like this. Unfortunately it is very hard to fix in an acceptable way. You can mostly trust the big commercial CAs to not do something like this intentionally since their business depends on their reputation. You need to worry more about smaller CAs that might take a big payout for issuing some fraudulent certificates even if it puts them out of business, or government controlled CAs that have limited accountability should they misuse their authority. Unfortunately, the mechanisms in place are not much more sophisticated than "trust" vs. "don't trust", although they are getting better.
By the way, the generic correct way to "test" things like this is to either make fake root CAs and install them as trusted on your test network, or make certificates for either fake domains (example.com) or domains you control.