I think that's an unreasonable assumption. It's far more likely that a CA is compromised than an ISP.
Also, don't underestimate the power of e.g. sslstrip. Most users enter "google.com", not "https://google.com". If you're not careful, somebody will just remove all the SSL links on your pages, or lead you to another domain with a valid one, via DNS or HTTP redirects.
"It's far more likely that a CA is compromised than an ISP."
I wonder if that's true?
At a high enough stakes game - one would have to assume that state level actors have already trivially compromised both - the NSA clearly has pretty much 100% compliance from Verizon, and I don't think its going out on a limb to assume they've got similar compliance from at least one of (and possibly all of) the US based CAs. Egypt at a state level have been seen using fraudulent SSL certs - and you'd be foolish to assume there isn't equivalent CA access available to any government who has a root CA authority under their jurisdiction.
But that's kind of a moot point - if the NSA is targeting me individually, I have to assume they'll gain access to pretty much everything - even if I strongly encrypt everything (and don't ever make a mistake doing so), many of the intended recipients of my communication are in jurisdictions where they've got enough power that wouldn't be able to resist the NSA's demands to reveal the unencrypted contents. (If they can ground head-of-states private planes in various European countries, there are probably very few places they cant "lean on" someone strongly enough to make it a not-very-difficult question about whether to give up my personal data.) "Lesser" state level actors - GCHQ, or ASIO here in .au for example - might not have quite such god-like global power, but I'm under no delusion about the privacy protection I've got against the "feeble compared to the NSA" local government intelligence organisation of whatever country I happen to be in, if it takes a personal interest in me.
At the attack levels lower down though - carders, identity thieves, the generic "internet fraud" level attacker - I suspect ISPs are significantly more likely to be compromised than CAs - or at least the important part of the CA infrastructure that holds the root signing keys. I'd guess typical ISP infrastructure is not as well secured as typical CA root keys - and that zerodays, unpatched known vulnerabilities, and rogue/disgruntled/underpaid sysadmins in small (and perhaps even large) ISPs represent a much higher risk than non-state-level attacks via stolen CA keys.
But if I want to attack you with an ISP compromise, I have to compromise your ISP, regardless of how well-secured it is. If I want to attack you with a CA compromise, on the other hand, I get the choose the absolute weakest-secured of the 600+ CAs there are.
Also, don't underestimate the power of e.g. sslstrip. Most users enter "google.com", not "https://google.com". If you're not careful, somebody will just remove all the SSL links on your pages, or lead you to another domain with a valid one, via DNS or HTTP redirects.