Potentially. This exploit was known to apple for some period of time, if NSA has access to the internal apple bug tracker, then they could certainly exploit the bug.
Not at all: that's the bug. It's not properly verifying that the other-end of a TLS session is the entity able to sign with the certificate-declared private-key.
Most likely hrrsn was referring to code-signing keys. Even if you can successfully MITM a software update connection, iOS won't run your trojan unless it's got a valid signature.
Of course the jailbreaking community knows well that there have been many ways around that...
