CA like Verisign don't have the key though, this misconception is too common. If you're doing it right the CA is just signing a cert you've generated, they never see the key.
Once you've got this new cert. you can MITM, but you can't use it to decrypt the traffic already captured. Also anyone paying attention sees the cert. fingerprint change out of the blue.
A) Law enforcement doesn't need to decrypt previously-captured traffic; they either want to fish for criminal activity or they'll allow their target to build up new incriminating evidence. B) Who pays attention?
A) That's what they were after though: “all information necessary to decrypt data stored in or otherwise associated with [the account].” A rogue cert and MITM would get the password for the account though, unless B.
B) Anyone who knows what they're doing and has something they really want to keep secret? Maybe if someone had such a secret they'd learn to check the cert, maybe even install an extension that would highlight unexpected changes.
Most people aren't verifying that the cert doesn't change every time they visit a site though - if they have Verisign sign a new cert and replace the old one 99% of users will never notice, because their browsers won't yell at them.