You're almost right. There are a number of commercial appliances (Websense makes one, which I've deployed for corporate use) that do exactly this so the corporate powers-that-be can peer into SSL encrypted traffic. This is generally (hopefully) for IDS/IPS purposes.
The key is that:
1. Corporate workstations have to be loaded with a CA cert generated by the appliance so they trust all certs issued by the appliance, and
2. The fake server certs are generated *real time*. Pre-generation isn't necessary.
So the reality is that this happens every day if you're running one of these systems. You raise an interesting point, though, that if a CA with their CA cert already in browser distros did this, it would be pretty much undetectable. However, then anyone with one of those appliances could do this man-in-the-middle attack, rendering the CA's infrastructure/reputation worthless. Additionally, they'd have the CA's private key, which is the crown jewel of a CA- so I doubt that would happen.
Now, if someone maliciously inserted their CA key into a browser distro, well, that opens the door for all kinds of fun...