... and leaves its customers open to man in the middle attacks because then you have no convenient way to distinguish between the legitimate self-signed cert and an attacker's cert...
True enough. But how do you conveniently distinguish between a legitimate purchased cert and a cert that was sold to the CIA by a compliant cert-issuer?
I wouldn't trust anything of value to a site that used self-signed certs or a private CA unless I went through extra effort to verify that it was ok.
Fair enough.
Anyway, regardless of the technical issues, a service will not be commercially successful if it causes the browser to display frightening messages.