That's not true, since CAs don't have "the keys to decrypt all traffic." They have the ability to sign website operators' public keys, but they do not have access to the website operators' private keys.

Of course, the CA could also issue a fake certificate with attacker-controlled keys, but if they tried to do so, they would get caught by Certificate Transparency.