It's not quite that bad. Even with a compromised certificate authority, it's not an invisible attack to do a man in the middle and inject their own certificate. Someone knowledgable could notice this discrepancy and raise a stink.
Furthermore, Chrome (and soon Firefox) ships some known certificates for privacy important widely used sites (e.g. the major webmail services, torproject, etc) which prevents even this attack. This defense has already caught Iran using a compromised CA.
(I'm not a cryptographer though, so please correct me if I'm wrong.)
I think it's only a handful of certificats that are pinned (they call it "HSTS preloading" here: http://www.imperialviolet.org/2011/05/04/pinning.html). While this does include gmail and some other Google properties, it doesn't seem to include any other major webmail services.
Ah dang, for some reason I thought that hotmail and y!mail were in there too. It looks like there's a commitment (which CAs you'll allow to sign your cert) that's needed from the site owner for HSTS to work. I hope they get in there one way or another soon.
Furthermore, Chrome (and soon Firefox) ships some known certificates for privacy important widely used sites (e.g. the major webmail services, torproject, etc) which prevents even this attack. This defense has already caught Iran using a compromised CA.
(I'm not a cryptographer though, so please correct me if I'm wrong.)