Public key infrastructure (PKI) is usually horribly implemented in the real world. It’s mostly broken because admins don’t deploy it right, software doesn’t enforce what needs to be enforced. Users bypass any PKI warning, resulting in untold downloads of who knows how much malware. A revoked certificate is supposed to be the same as no certificate, but most CA admins never revoke it. Or people keep using revoked certificates and no one notices, even when they should. Even more common, the software (or the user) doesn’t bother to check.”]
Source: https://www.csoonline.com/article/3000574/the-sorry-state-of-certificate-revocation.html