"Your IDS/IPS cannot look inside SSL traffic, either, which could contain exploit code (conveniently packed and encrypted by the SSL container)."
You might want to go read up on SSLStrip before you make that assertion. There are a bunch of other utilities that do basically the same thing, but their names escape me at the moment.
Admittedly, SSLStrip relies (generally) on the target ignoring the bad cert warning, but if you've compromised the target and inserted your root CA into the "trusted" list, well... no more warning. And, as someone else mentioned, if you're a netadmin and control the end nodes, there are lots of companies that will sell you inline appliances that will do exactly the same thing- completely transparently.
WebSense and PaloAlto 6.0- and probably others- will even let you take the cleartext off-box for DLP, or "archiving".
How much you want to bet that one of the trusted root CAs distributed with all browsers (eg, VeriSign) is an NSA plant? Trust no one.