China has a CA. But so do lots of small Latin American countries. It'd be silly to think that a government the size of China cannot compromise some little country's CA. It'd also be silly to think that they cannot get inside at least one US CA. Comodo has shown that their controls are lacking, and that wasn't even a directly compromised employee.
So, China having a CA installed, while not great, certainly isn't giving them control they can't already get. Plus, why would they want to risk their own CA cert doing malicious things, where it'd be directly traceable to them?