Such a surprise?
For those with a good range of metallic headgear, this should come as no big surprise. After all, few bank robberies actually break the safe door, they either get the keys (by bribery or coercion) or they go in via the walls that are weaker.
It has long been known that the whole concept of SSL is fundamentally broken: compromise any one of the ~600 issuers and you can fake a certificate for man-in-the-middle attacks, and yet no one has serious tried to fix this in spite of the occasional publicised attack.
Similarly a lot of VPNs use only PPPT as it is MS's favoured option, though known to be also fundamentally broken w.r.t MITM attacks, etc.
And with MS being on such good terms with the US gov it is hard to avoid the conclusion that they would work with three-lettered agencies to either allow direct access, or not to close useful holes unless the "bad guys" start using them. Why are the likes of skydrive (and Google's offerings) not client-side encrypted by default? Maybe laziness, maybe to help? Who knows, so adjust your hats accordingly...
None if this means that encryption is not a good way of protecting your privacy, it is. But what it means is you cannot trust most of the current players that should be delivering it to be acting in the interest of you, the customer.