To be fair, CA's and SSL in general were designed to protect e-commerce. As a risk-reword calculation, it probably works for that. The problem is, neither SSL or CA's are robust enough to protect against state-level actors.