We hear about SSL vulnernabilities, how SSL is "broken." One complaint I don't hear often enough is the lack of attention to Certificate Revocation Lists. For example, Verisign could revoke a certificate and Firefox users would continue to think they were making a trustworthy connection. That's a client confidence headline waiting to happen.
But suppose you are an eCommerce site who is trying their best to provide a secure transaction enviironment. You've paid for extended validation. You recognize that the green bar should give the customer more confidence in your site's security, but you also recognize that security relies upon the customer watching for the green bar. That manual task of watching the URL bar change colors must be performed consistently.
Why would you choose to NOT implement two way authentication using SSL? Why is this common with business to business commerce, but otherwise rare?