I'll also add that Amazon Key Management Service, Azure Key Vault, and Google Key Management Service store several hundred million private keys combined with no leaks so far (they are non-exportable and access is audited)
It is very rare that we see malware signed by a publisher's certificate, which is why it is in the news every time it happens.