I'm pretty sure they do, I know the CA I used to be involved with did D&B checks and gathered other docs before issuing new EV certs. The data gathering process usually took a couple of weeks and had to be validated by certified individuals and the actual issuance had to be performed by two managers.
In this case though attackers are believed to have compromised the infrastructure and had enough access that they could issue whatever they liked without going through the audit and security controls. The technical measures which could prevent this are difficult, cumbersome, expensive and not foolproof. At some point you have to be able to accept a CSR from a customer and expose it to the HSA and receive a result. If you can get anywhere in that path you can send your own CSRs and have whatever you want signed.