If the ad code is inserted via JavaScript, then yes, the problem is real. Most ad code is inserted via JS, e.g. Google's AdSense.
But according to https://www.google.com/adsense/support/bin/answer.py?answer=... AdSense isn't available over https, so this specific problem of forged SSL certs does not apply here. But if you embed non-SSL code in your httpS page (and I assume that most users just ignore the message that would popup in this case, alerting them that non-SSL code is loaded into the "secure" site) there's no need to do that: just do the MitM attack.
But according to https://www.google.com/adsense/support/bin/answer.py?answer=... AdSense isn't available over https, so this specific problem of forged SSL certs does not apply here. But if you embed non-SSL code in your httpS page (and I assume that most users just ignore the message that would popup in this case, alerting them that non-SSL code is loaded into the "secure" site) there's no need to do that: just do the MitM attack.