It seems you're asking two very different questions, but I'm hoping you could clarify:
- Are you asking why is it not OK for CAs to generate keys?
- Or are you asking why is it OK for resellers and other intermediates to generate keys?
To your latter point, about "evading" the requirement, yes, it's certainly true, a CA could do that. Yet, as the discussion captures, the goal of any policy is to try to capture the expectations, while being mindful of the unintended or second-order consequences.
For example, you could, in theory, fully mitigate, if not outright prevent, crime, by having a police official assigned to each and every person and who follows them 24/7. Yet, in most societies, we recognize that's authoritarian abuse, and would have a number of measurable harms to individuals.
In this specific situation, we're acknowledging that there is frequently a path of intermediates between what might conceptually be seen as "the site" and the CA. I say "conceptually", because it's actually quite complicated with respect to how Applicant/Subscriber function.
On the "close to the site operator" side, you have entities like marketing companies, CDNs, IT (which may be in-sourced or may be out-sourced), hosting providers - all entities that may have access to the keys or may be responsible for generating keys.
On the "close to the CA" side, you obviously have the CA themselves, but then you have entities like resellers.
The problem is those "resellers" may themselves be the CDNs, IT teams, hosting providers, etc - it's not a binary either/or, but can be multiple.
Recognizing this, the policy tries to express both a principle and an outright prohibition. The CA themselves MUST NOT generate the key - primarily because in all cases (except where the CA is self-issuing to themselves), the CA won't be the one actually using or operating the key, which means complexities like key transport and key protection, and the risk of key archival. As we get closer to the site operator, it becomes more of a "site operator problem" to sort out, because we recognize there are legitimate reasons why you may want to have your hosting provider generate the key for you. For example, so they can automatically maintain and renew your certificate for you.
In policy, as in life, we accept the imperfection, because we don't want to let the perfect be the enemy of the good. We also use this to express principles and expectations.
Can CAs do things that stray from the good path? Yes, certainly. But we can deal with and address those situations as we become aware.