Umm, yeah, right. Basic fail at understanding public/private key cryptography.
If crypto systems relied on trusting that everyone does the right thing, they would be useless.
After such a fundamental failure, it's hard to take the rest of the article seriously.
So, if your browser has a CA belonging to CCNIC, a Chinese corporation which could certainly act for the Chinese government, they could pull off this spoofing. The question then is, is CCNIC in people's browsers? According to http://www.mozilla.org/projects/security/certs/included/, it is in Firefox.
As to how to pull off the spoofing, if you have a root CA, you can sign arbitrary certs, i.e. for domains you don't own.
So, the article is right and SSL does require trusting all your trusted CAs are trustworthy.
(edited for clarity and tone)
You break RSA by factoring n into p x q.
Firstly, I doubt that US (say) government personnel will remove Chinese CAs, never mind contractors or even ordinary business people or citizens, so to my mind this is a risk to trusting SSL, even if expert users can mitigate it as you have described.
Secondly, I believe CAs can also sign other CAs (and indeed Entrust did this for this very Chinese CA) so it's not that simple. You might need to distrust most CAs, which makes using SSL slightly tricky.
Thirdly, even if you remove the CA now, how do you know you weren't already MITM-attacked back in February? It's too late.
As for mitigation, alerting the user on CA or certificate changes might help, but getting the UX right will be hard. I could see a solution in the future where your bank sends you a memory stick with portable firefox installed on it and precisely one trusted certificate — the bank's. Of course, that means trusting the mail system, but since we already trust the mail system (e.g. using mailed statements for ID verification) we can't be worse off. An attack would require hijacking the USB stick and your connection to the bank at the beginning of the same session for it not to be noticeable — not so easy.
Of course, configuring your system to trust any valid certificate is just stupid.
However, that threat of Chinese authorities sniffing on SSL traffic is real. Just remember the root certificate issued by the China Internet Network Information Center that ended up in Firefox, see http://news.ycombinator.com/item?id=1244444
Acutally, in-brower SSL crypto without certificate verification (as in "is this the same certificate that it was before?", not as in "is this certificate signed by trusted CA?") relies exactly on that assumption.