Blindly Trusted Roots
Both of the breaches resulted in fraudulent certifications being issued and used to impersonate high-traffic sites such as google, yahoo, skype and live dot com properties. These certificates were used to trick browsers (and users) into thinking that they were connected to a valid site, when they were not.
More importantly though is the realization that the trust in the root CA system on the Internet has been eroded. With two publicly disclosed breaches, how many undisclosed breaches have their been, and how many breaches of these CA's have not even been discovered?
While the use of fraudulent certificates on high-volume consumer sites is a big issue, the bigger issue here is the use of low-volume high-value certs to intercept financial transactions, email message systems, and other highly critical services.
My position is that we need to come up with a new paradigm for establishing trust in public/private services, and eliminate the use of old broken systems like the root CA pki's. The only issue I see is the speed with which this can happen.