If the alternative is not scanning ssl traffic for malware then perhaps if it's done correctly then it's not a bad compromise. For example a broken upstream cert should just be treated the same as if malware was detected. I bet good AV would update revocation lists more often than the OS & browser does too.