Because your client (generally a browser) is configured to implicitly trust a group of companies called "root Certificate Authorities" (root CAs). Now, consider one such company head-quartered in China, or the US. The governments of both countries have the power to secretly demand such a company's keys, then use them to make your client trust whichever endpoint they chose.
The security model is broken, just like BGP's is. Root CAs plainly can't be trusted. It's not just that they'll cooperate with governments. See "Security Collapse in the HTTPS Market".[0]
And yes, HTTPS is rather a joke. But what about properly implemented SSH, IPSec or OpenVPN?