in case someone, through some means, somehow manages to get their hands on a password of yours that matters. Remember when that Certificate Authority leaked a private cert for Google? That coupled with a DNS attack (which is depressingly easy to do) could serve you a clone of any Google service, complete with valid HTTPS certificates and everything, which you and anybody else would happily type their password into. Got a physical token and 2-factor auth? Then awesome, you win that round.
Sure the window between learning of a rogue CA cert and having it removed from browsers is small, but do you want to risk it?