Wildcard certificates are a greater risk since they can be used for things you didn’t intend, so a lot of it comes down to how scoped they are (a subdomain like *.app.eng.example.com is way less effective for phishing) and how hard it would be for an attacker to reuse them (e.g. there’s less risk if it’s generated on an HSM or something like AWS ACM which doesn’t allow the private key to be transferred).
For a large organization, this probably just says that they have a lot of different systems and groups operating relatively independently with poor practices, which isn’t an immediate problem but suggests that they’re an easier target than some.
For a large organization, this probably just says that they have a lot of different systems and groups operating relatively independently with poor practices, which isn’t an immediate problem but suggests that they’re an easier target than some.