Is there any security risk when a certificate authority is used more than all others?

TL;DR: It does not matter much.

The only security "risk" here really is the CA being "Too big to fail", where the browsers cannot distrust the CA quickly. But this is happening to all big CAs, not just the biggest one.

Other than that, the only problem may be the CA being a more tempting target, though all CAs are already very tempting. Having all the eggs in one basket has its advantages and its disadvantages in this situation. Advantage is, that you need to protect just one basket, disadvantage is that if that basket breaks, the impact is somewhat bigger (assuming technologies like CAA and HPKP are used, otherwise it does not matter how big the CA is).


To break this discussion out of comments on the other answer: one issue with a single CA dominating is that if there is a problem requiring it to be replaced (e.g. browsers stop trusting it, or it goes bust), there needs to be somewhere for everyone to migrate to. This is true of any CA, but if customers are spread around many different providers, there is a smaller number needing to migrate, and switching providers will be a more common occurrence as people shop around for the best deal.

In the extreme case, a collapsing monopoly would require a completely new CA to be set up, or at least a small one to scale up very quickly. If existing certificates could be trusted, but none issued after a certain date, the timescale would depend on how long certificates were issued for.

If the CA were issuing short certificates and relying on automatic renewal systems, then either users would need to replace their automation infrastructure, or the new CA would need to provide a compatible service. This would be somewhat easier if the service provided by the old CA was based on open standards or open-source code (as happens to be the case with Let's Encrypt), since the new CA would not need to reverse-engineer it to take it over; similarly, there might be scenarios where the old CA was willing to co-operate in the transition. There would still be effort involved if the new CA was not already implementing the same protocol, of course.