We have always adopted a high security model when issuing digital certificates. We use a trust chain ensuring that the Primary Root CA used to create the Intermediate Root CA (i.e. the GlobalSign root CA certificate that is pre-installed with all browsers, applications, and mobiles) is offline and kept in a highly secure environment with stringently limited access.
This means the root CA is not used to directly sign end entity SSL certificates; as such, we employ a best practices approach for the Public Key Infrastructure, therefore protecting against the major effects of a key compromise. For example, a key compromise of the Primary Root CA would render the root and all certificates issued by the root untrustworthy, and because we keep our root offline, this (somewhat unlikely event) is significantly less likely to happen.
Intermediate root CAs are utilized by all major Certification Authorities because of the extra security level they provide.