I believe this check does more harm than good.

A fully compliant CA which generates a random serial number from exactly 64 bits of entropy will produce a serial number less than 8 bytes long 1 in 256 times. That means that for every million certs issued, this check will cause about 4,000 false positives.

To avoid the false positives, the CA might be induced to do something silly like ensure the first byte of the serial number always has at least one bit set, which reduces the entropy to less than 64 bits. GoDaddy did this: https://groups.google.com/d/msg/mozilla.dev.security.policy/S2KNbJSJ-hs/VArvVlv0BgAJ

The only sensible way to detect low entropy is to run an analysis across a large corpus of certificates. If you try to detect it on a cert-by-cert basis you should at least have a much smaller minimum length than 8 so there's a lower false positive rate than 1/256.