So, what stops someone from getting a malicious app signed by the CA and then MITM your putty download with that? (based on a quick websearch, a code signing certificate is about $70)
If you secure your official download page via HTTPS, MITMing that connection requires getting your website cert signed by a CA. Which, while possible (see: DigiNotar) tends to be something the CAs try to avoid - lest they lose their license to print money by having their certificates revoked by browser vendors.
