You're right, it could be a passive inspection. But... if they are your ISP and have access to your packets, chances are they can rewrite and inject traffic too. Sure, they might need a bit more hardware to do so, but it's not exactly difficult.
But you're correct, DPI doesn't necessarily imply MITM capabilities.
what, how? dpi just means looking at packets inside ip. it doesn't somehow grant you the ability to do man-in-the-middle attacks.
deep packet inspection is already possible. that doesn't mean that tls or ipsec or any other protocol is broken.
(i agree with the need for key management etc; it's just the quoted statement above that seems wrong).