This clear incentive you speak of is not in evidence on the actual Internet: find a site any of us have ever heard of that takes a credit card over a bare HTTP connection by default.
Self-signed certificates are "insecure", if you want to use that word, because there is no way to verify them. If you're Bob sending your certificate to Alice, Alice has absolutely no way to tell if she's seeing your cert or Mallory's.
Self-signed certs get used in non-HTTP apps, and in internal apps, because an out-of-band mechanism (thumb drives, key continuity, etc) is being used to distribute the certificates. If Alice already has your cert, and all you have to do is prove you hold the privkey for it, you and Alice have no problem.
Of course, if you think about this for 5 more seconds, you quickly realize that nobody on the Internet has your cert already, and without Verisign to break the tie between you and Mallory, you're totally fucked.
Self-signed certificates are "insecure", if you want to use that word, because there is no way to verify them. If you're Bob sending your certificate to Alice, Alice has absolutely no way to tell if she's seeing your cert or Mallory's.
Self-signed certs get used in non-HTTP apps, and in internal apps, because an out-of-band mechanism (thumb drives, key continuity, etc) is being used to distribute the certificates. If Alice already has your cert, and all you have to do is prove you hold the privkey for it, you and Alice have no problem.
Of course, if you think about this for 5 more seconds, you quickly realize that nobody on the Internet has your cert already, and without Verisign to break the tie between you and Mallory, you're totally fucked.