Running a CA is a major pain, adds auditing and other requirements that are ongoing pain, and prior to the past year or so Facebook did not issue enough certificates to make the cost worthwhile. Doing this right means adding a lot of logging and access control around a few parts of the infra stack that would manage this, so why not pay someone else to deal with the paperwork and bother? All FB certs are on the CT logs as a matter of policy, so that there are no loopholes in our current statement that if a Facebook cert is not on the CT logs you should not consider it valid; we will accept the loss of secrecy (and people launching new stuff hate it but have learned to adjust) if the end result is making it harder for someone to slide a dodgy cert into the chain.