These are not weaknesses in SSL/TLS
They are weaknesses in the current PKI. And yes, the PKI is thoroughly broken. There are too many vendors supported by default in all the browsers, virtually guaranteeing that at least one is vulnerable to some sort of attack.
Perhaps the browser makers should perform a thorough audit of each authority before allowing it in?
Or perhaps it's time for some other clever PKI scheme... not a clue how you'd go about making a better one though. There must be a way!