Lets be clear, we're not talking about self signed certs here. An attacker would still need to prove they have ownership of the domain to get a non-EV CA-signed certificate which makes a MITM attack highly challenging to the point of being down right impractical to accomplish successfully. Its not simply not a large enough threat level* to worry about since it would require either DNS spoofing (in which case why bother with a MITM anyway since you now have ownership of the traffic you can just steal people's cookies and get log in directly), or access to the domain owners email (in which case gaining access to their infrastructure becomes significantly easier depending on where it is hosted) or attacking the clients PC to install your own CA certificate (in which case yiu might as well just install a RAT or keylogger and capture inputs for all websites and thus save yourself the trouble of MITMing only one specific single domain).

* I mean if your business is online banking then it's a little different. But for 99.9% websites out there having EV isnt necessary.

Anyone in the network path and willing to expend the computational power to decrypt and re-encrypt your traffic. Unauthenticated encryption still dramatically increases the cost of mass surveillance.