The Certificate Authority looks at the domain string starting from the root, and NSS looks at it like a normal string.
The real problem is not just that they both stop at the null character, but that they both preserve the original input instead of only passing along the part before the first null.
Earlier today I wrote a post about "security problems that C causes" and neglected to mention the use of null-terminated strings instead of a proper data structure that encapsulates length along with the string.
Well, this is what happens when you assume some sort of special data is valid, when it isn't actually. (\0 can appear in a string, it's a perfectly valid character, so it's not safe to use it to terminate the string. But people do anyway.)
All software (code+data) on the Wii must be signed, but the code burned into the supervisor chip does a strcmp on the raw binary signature. It's pretty trivial to generate a hash collision when you can force only the first byte to be compared :)
The real problem is not just that they both stop at the null character, but that they both preserve the original input instead of only passing along the part before the first null.