As I understand it, there is more than just figuring out how it works; one also needs to have physical access to the phone and be able to imitate Apple cryptographically. Not out of reach for the NSA maybe, but not exactly typical hacker stuff.
No, SSL certs are using to sign packages and software too. And Apple would not have a root cert, their cert would be signed by a root CA, which could be used to sign other certs if it's tricked into thinking its' Apple requesting them (like in the recent Google cert example).
So one could impersonate a company if they have a cert that says they are that company.
You are conflating the CA system traditionally used on the Web with SSL itself. Apple does not depend on other certificate authorities to sign its software. Anybody can create their own root CA — it just won't be trusted by browsers out of the box.
No, it's about the browser CA system. I don't know exactly how Apple implemented their signing for iDevices, but it's a reasonable assumption that the certs need to be signed by Apple, and they didn't effectively hand the keys over to every registrar in the world.
They are likely using a plain-old SSL Cert signed by a plain-old public CA, which is how your computer would know if the executable appears to come from Apple or not.
First of all, code signing certificates are not "plain-old SSL certs". They're for code signing, not SSL.
Second, Apple includes their own root certificates in their own operating systems just like everybody else. I've personally implemented a code signing mechanism for a platform that had no root certificates except for those I personally generated (and still control).
The public CA system is just irrelevant here. It has nothing to do with anything.
