Then there is the theoretical possibility of a man in the middle attack because your upstream router could imitate the SSL website.
Not unless it can somehow forge the SSL certificate, as issued to the genuine site by a trusted public root CA.
Corporate quality firewalls, such as those used by banks, will frequently be configured to intercept SSL requests, decrypt them, do security checks or read packets for load balancing purposes, and then re-encrypt data and pass it on.
Absolutely right - I have implemented such solutions. But the point is that the proxy has the genuine certificate for the protected website!
SD