The CA that issues the 20 year certs stays offline, so the only way to get the private key is to hack each machine.

If the machine is compromised to the point where you can extract the key, the cert does very little since you already own the endpoint.