Those are weaknesses in the signing authorities. Signing authorities are a layer of SSL, and a rather high one. It is possible to use SSL without them. I have an app I've written that uses SSL, and since it's essentially one thing we own talking to another thing we own (from a security perspective), there's no signing authority, no Verisign, no NSA, just, is this the exact SSL cert we issued to this SSL user or not?

Not that there aren't other problems at times with SSL, especially depending on how you use it, but your criticism may be more limited than you realize.