The proper way to do it is to have a 100% offline CA with its key material split over a number of smart cards so the CA can only be brought up periodically for signing purposes when a certain number of cards are present (say 3 of 5) and even then you use an HSM which performs all activities hence the private key is never accessible even if you wanted it to be. You store the cards in fireproof safes in geographically dispersed secure physical locations, cardholders travel by different modes of transport, at different times of day, stay at different hotels etc. For day-to-day certificate issuance and signing you have a subordinate CA sat in a networked HSM. That way there can only ever be a minuscule (I'd never use the word impossible) risk that the root CA can be compromised and you maintain the ability to revoke the day-to-day CA.
90% of a good PKI is process and governance, not the technology itself.
I suspect what's going on here is that the NSA has the ability to cut certs for things like *.google.com, *.facebook.com etc from a trusted commercial CA whose root is already installed in everybody's browser, hence they can man-in-the-middle the traffic without raising alarm. A few sneaky BGP advertisements and this would be surprisingly easy to do.
It's pretty shocking to read most of the comments on here and realise that very few people actually know how PKI works even at the most basic level.