[0x0]

There's a huge difference between ssh and ssl's trust model, where the latter requires you to fork over money for each domain name(1) and at the same time trust ALL the other CAs in the world not to work against you.

(1) except for a couple of very inflexible free tiers at a couple of vendors, which caused more trouble than it was worth during heartbleed.

For SSH your key management is 100% in your hands and no third party can create a replacement key pair that would work in a MITM attack.

[cesarb]

The perfect is the enemy of good. With TLS, you reduce the MITM exposure from "everyone who is in the path between you and the server" to "everyone who is in the path between you and the server, AND has control of or has hacked into a CA AND is willing to risk the CA being blacklisted by the major browsers".

The latter category is much smaller than the former (which includes anyone in the public access point you're using, for instance). Yeah, the NSA is probably in the latter category (if they think you're important enough to risk burning a CA), but the NSA is not your only adversary.