I think it’s mostly do with the carelessness of the devs. They’ve let their certificates expire multiple times (and suggested their users put their clocks back as a workaround) and DDOSed the AUR a couple of times by accident. To be fair, I haven’t heard of any foul ups in a long time so maybe they’re being more careful now.