Putting it simply, most browsers don't care if a supposedly valid certificate is replaced by another (seemingly valid) certificate.
Think man-in-the-middle; think "the Government did it!" (more on that later)
Both Blaze and Schneier are augmenting the research described in a paper by Christopher Sogoian and Sid Stamm which lays out very clear ground for Governments to execute man-in-the-middle attacks upon any SSL connection.
As Blaze notes, "A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much."
According to the abstract of Sogoian and Stamm's paper, "This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications.
We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks."
In essence, the attack permits a strong-enough authority to compel a Certificate Authority to create a fake certificate. Once they do, all bets are off.
To back up their claims, the authors include marketing material from a company called "Packet Forensics"
Quoting from their brochure, "Packet Forensics' devices are designed to be inserted into and removed from busy networks without causing any noticeable interruption. Even the failure of a device due to power loss or other factors is mitigated by our hardware bypass fail-safe system. Once in place, devices have the capability to become a go-between for any TLS or SSL connections in addition to having access to all unprotected traffic.
"This allows you to conditionally intercept web, e-mail, VoIP and other traffic at will, even while it remains protected inside an encrypted tunnel on the wire."
The paper by Sogoian and Stamm offers a browser plug-in to ameliorate the problem; in addition commenters to Schneier's reporting of the problem both support and decry (by different people of course) a tool called Persperctives.
At the moment, this vulnerability seems very difficult to address; especially since it appears to be more political than technical.
In short, you probably can't trust the padlock; especially if you believe there is a Government somewhere in the world that wants to know what you know.