In the USA, there is a case of phishing with valid SSL certificates. There, a certificate was issued via GeoTrust - the guys who also bought Trustcenter in Hamburg after it went bankrupt - to someone who then used it to fake a banking site. And so well that it is no longer easily possible for a customer to determine its authenticity.
SSL is no guarantee - it is only proof that someone has been issued a certificate. But you have to know whether you trust the certificate issuer - and unlike Web-of-Trust approaches, there is usually exactly one single certificate issuer, not a group or even an entire network.
If the vulnerability is in the certification of the certificate issuer, it doesn't matter how many or few bits the key works with ...