Why is compromise of a cert that can sign ".moo.bar.foo.baz.com" so* much worse than compromise of one that can sign "www.moo.bar.foo.baz.com"?

The compromise of technet.microsoft.com, while a very big deal, would be an order of magnitude worse if it was *.microsoft.com.

How so? The update mechanisms use certificate pinning, and even if they didn't it sounds like an argument to use different certificates for code signing and for web servers. What other problems could there have been? Most people are only going to verify that it's microsoft.com.

That's true if you're trying to save money by putting a ton of domains behind a single wildcard cert using a single private key. But there are security advantages to using multiple wildcard certs based on different private keys. One of them is that you can develop a nearly infinite number of sites without exposing the domain name via the certificate, so they can't be crawled or pentested until they are deployed publicly. The number of certs you buy should be based on the number of private keys you can securely deploy.