A real-world example of this would be Heartbleed, where users rotated without revoking their previously compromised certificates[1].
[1]: https://en.wikipedia.org/wiki/Heartbleed#Certificate_renewal...
Was a single certificate actually compromised and/or used maliciously? I am looking for an actual breach, not a theoretical scenario.
Based on that Wikipedia article, no. This is just more of the same friendless PKI geeks making the world unnecessarily more complicated. The only other people that benefit are the certificate management companies that sell more software to manage these insane changes.
Did you read it? There are multiple examples of claimed exploitation right below the section I linked.
Which bit says about stealing a certificate/keys and MITMing traffic with the stolen keys - with real world ramifications?
There are multiple examples of service compromise in the linked Wikipedia page.