I agree that there's a very slim chance, realistically, of this being exploited. But StartSSL doesn't have to be hacked for a user to be MITM'ed and served malicious JS. Especially given that their site (at least the homepage) loads over plain HTTP.