The list does go on. However, I completely disagree with your
assertion that "O(MitM) = O(sniff)"
Yes there are many vectors to MITM at many levels, but they are
(perhaps not ALL) not only detectable but also preventable in many scenarios.
* DNS cache poisoning => Don't fail at DNS
* ARP poisoning => use static ARP tables (and before you say "who on earth does that"- I do)
* routing protocol poisoning (many kinds) => (many solutions)
* ICMP router redirects => Get filtered by firewall before they ever reach me
* NETBIOS name poisoning => Don't ever use netbios for anything
That should be fairly self-evident.