MiTM doesn't work against https unless the users are accepting bad certs already. If the page you're looking at was sent over https, its not alterable to include malicious javascript en-route. Someone on the network doesn't have your key, and so they can't spoof a request to take advantage of persistent https connections. XSS is dependent on your users looking at each others data and you not filtering it well. So unless your server or client are already owned (at which point this doesn't matter), or your users are randomly accepting bad certs (at which point it still doesn't matter), the only vector is a pre-existing unpatched XSS vulnerability on one of the servers https pages. (right?)

...or it could fail because its designed to fail at exactly the right time, in the right way. That our infrastructure and military hardware contain so many parts from China has to be one of their best strategic advantages in any conflict we might have. They would be silly not to try and use that.

Actually, not quite:

http://www.ojp.usdoj.gov/bjs/abstract/rsorp94.htm

Within 3 years of release from prison:
3.3% of child molesters were rearrested for molestation
2.2% of non-molester sex offenders were rearrested for molestation
0.4% of the entire set of released criminals were rearrested for molestation

43% of sex offenders were rearrested in total (any criminal charge)
68% of non-sex offenders were rearrested in total (any criminal charge)

In general you can fairly say offender type X is more likely than other criminals to recommit crime type X, but overall its a misconception to believe that sex offenders re-molest frequently or that they are rearrested more often than other criminals.