If the NSA was MITMing SSL communications on a wide scale, presumably the companies would notice that the cert fingerprints were not what the companies expected.
That would mean they've broken TLS which, whatever powers the NSA supposedly has, seems unlikely.
I don't think they would be intercepting SSL traffic either, because Google has a hard enough time legitimately updating their certificates [1] that I imagine if the government were doing it on a wide scale people would definitely notice.
Without the key, they couldn't read it. Getting a CA on board doesn't give them that (that would only allow them to create an alternative key that software without pinning would accept), they would need to either be given the key by anyone that had it or factor it themselves.
The private key should not be that hard to obtain. Google has thousands of frontend servers, each one of them has to have the SSL private key (at least in memory). Probably at least a hundred people have access to these servers. It's enough to bribe just one of them.