Some CAs interpret the CA/B forum rules more strictly than others. Some require attestation proof that chains up to a hardware root of trust while others just require you to pinky promise that you use an HSM. A while back I asked our CA why they don't require the attestation and they said it isn't strictly required by the CA/B rules.