I'm surprised by the amount of certificate fragmentation these companies have. Why would they use so many different certificate types and vendors? Twitter is even worse:
https://crt.sh/?q=%25.twitter.com
Running a CA is a major pain, adds auditing and other requirements that are ongoing pain, and prior to the past year or so Facebook did not issue enough certificates to make the cost worthwhile. Doing this right means adding a lot of logging and access control around a few parts of the infra stack that would manage this, so why not pay someone else to deal with the paperwork and bother? All FB certs are on the CT logs as a matter of policy, so that there are no loopholes in our current statement that if a Facebook cert is not on the CT logs you should not consider it valid; we will accept the loss of secrecy (and people launching new stuff hate it but have learned to adjust) if the end result is making it harder for someone to slide a dodgy cert into the chain.
https://crt.sh/?q=%25.facebook.com
A host of servers turn up in that list, which may similarly be less security tested than the main facebook.com site.