I agree with your post generally, but has Snowden said anything about CAs? I did expect to hear that at least one has signed anything the NSA put in front of them, but I don't recall Snowden providing "proof"* of this.
* I'm in no position to verify anything Snowden leaks.
The main thing is that CAs are centralized proxies for trust combined with the revelations that confirm that the NSA directly targets such central entities. There was a lot of general uneasiness about the reliance on CAs before the Snowden revelations, and I think the fact that NSA documents show that it leans on such central entities confirms the wisdom of that unease.
I don't know about the NSA, but I've personally negotiated a deal with a CA to add whatever domains we wanted to a certificate without validation. They just "trusted us."
* I'm in no position to verify anything Snowden leaks.