Generally you're right to point to router security, but I don't think it's relevant here. Router software package installation -- where you might think you want tls to fetch the package safely -- should be using package signatures rather than relying on tls.
Article writer Dan Goodin missed this point in his first draft. He thought he had a story, and failed at the fact-checking stage.
Would you rely on X.509 for a vpn? The implementation is irrelevant.
ATMs, no. Web banking really does have a problem, and it's much bigger than bugs in tls.
I think David Jao and others are right, and this is not news.