Re: So where is the problem here ?
"Are end users going to be forced to install ISP root certificates ( to allow HTTPS MITM attacks ) before they are allowed to use an ISP's services ? I can't see this. That would require touching every endpoint connected to the ISP, it would be a nightmare for the ISP's, and pinning complicates even this."
Erm, not quite. A nice nudge to Google & MS and hey-presto, your next s/w or OS update contains new certs.
Chrome already overrides machine level certs, as I found out when I was using a CA it opted to distrust (warnings ahoy, even though the root CA was trusted).
Unless you keep tabs on EVERY cert in your machine, with fingerprints, something could merrily install and opt to use one.
Pinning also only works if the apps respect it (or are allowed to)...
I'm sure someone will be along shortly to insert an obvious comment about not using Windows, or Google, or <other large well known app> - but for the masses, it's not going to be that hard to do...