The inherent design flaw is that announcing via SPF "Oh, yes, and Google is allowed to forge email on my behalf" allows Google to forge email on your behalf.

All else follows. The enemy of security is convenience, and it's very convenient to hand over mail to Microsoft, Google, etc.