SSL/TLS communications are just as secure as they always were.
No, it is not.
CA model is much more important than the public CA "trust". There is nothing stopping an application designer from using private CAs for their application. This bug breaks the trust to any CAs, including the private ones.
Let's think about it (as a thought experiment) what is required for this to be an effective attack.
SSL spoofing is already a common attack. Not just France and the NSA but also regular old password-sniffers. This vulnerability falls under the same class of attack as SSL spoofing; a trusted certificate is secretly replaced by an untrusted certificate.
There were some common examples right after unicode was allowed in domain names and people came up with similar-looking links for major companies with unicode symbols that look identical to the ascii glyphs. That will be one comparison. The other comparison will be for a government-style ssl spoof attack.
First, the attacker must redirect you from the legitimate site to their illegitimate site. This is equally difficult with or without the TLS attack.
The government-style attack could intercept the traffic over the wire and redirect you to the bad MitM manually.
The fake link version could use bad links in phishing emails or spamming the internet with the fake link to the MitM server. Other options include host entries and software secretly installed on the machine. In any event, the bug does not affect this most difficult step.
Second, they need to appear as a valid connection. For the TLS bug, the attacker must create a false certificate that will test as valid. With the bug being known, that is pretty easy. Then they must use this when the certificate is requested during TLS handshaking. Now contrast this with a traditional attacker who must get their certificate signed by a CA for the fake domain; this is also fairly easy to do in practice. Many fake-name certs have been issued over the years and successfully used in news-reported attacks. Sometimes certificates have been forged in other ways, such as the Flame virus. Similarly the spy agencies have no difficulty getting their fake certificates signed by a CA.
Finally, the attacker needs to make a connection with the legitimate host. This is the same in all conditions, and has been successfully been used in SSL spoof attacks for years. When there is secondary authentication required the MitM just requests the data from the client. Complex attacks can sometimes permit a second connection directly to the victim where two-factor authentication across servers is required in such a way that the authentication passes. Nothing new here.
So really, the only thing the bug makes easier is the task of getting a fake certificate. Since this was arguably the EASIEST step in SSL Spoofing to begin with, and because SSL Spoofing is long-established as an easy attack that is difficult for lay people to detect, it means the attack really is a relatively small issue.