The real reason this is problematic is that Windows kernel driver signing wasn't complete before 2015. For signing (of anything) to be robust, it must be paired with a timestamping server. The signature then has these components:
1. The signature itself.
2. The certificate.
3. A data structure containing a hash of the signature, and a timestamp, signed by a timestamping authority.
The purpose of (3) is to prove when the signature was computed, which in turn means that signatures can live longer than the certificates themselves. Note that normal Windows (and Apple) code signing for user space gets this right for a long time. Apparently Windows didn't in kernel mode until 7 years ago.
Introducing timestamping isn't all that easy. If you stop accepting signatures because the underlying certificate expired, then you just put a time bomb in everyone's computers. So Microsoft had to allow the usage of expired certs and hope they'd never leak. They (eventually) lost that bet and the cert will now be revoked, but it won't have been used for many years so probably the overall damage is small.