SSL needs to verify the site's identity to be effective, period. For a certain level of trust (EV certs, for example) that requires humans doing work, at least for now. Humans cost money. StartSSL's free certs work perfectly well for non-EV requirements, which basically amount to a verification level of "someone who can read email on this domain has requested a cert for it" - which can be, and is, completely automated and therefore available for free.
First of all, everyone wants the benefits of HTTP/2.0, obviously. Else I'd be using gopher, thank you very much.
Then, startssl is a company, that happens to give free certs. For one single sub-domain. Got two subdomains? Gotta pay.
They can also decide to make those non-free at any given moment, if they feel like it.
The only part I agree with, is paying for EV certificates. But you should NOT need to pay and you should NOT need a third party to be responsible for YOUR certificates if you do not want to.
And again, there's quite a few distributed trust models around that work well and do exactly that, but get great push back from vendors, since, by nature, they don't bring as much money back.
SSL needs to verify the site's identity to be effective, period. For a certain level of trust (EV certs, for example) that requires humans doing work, at least for now. Humans cost money. StartSSL's free certs work perfectly well for non-EV requirements, which basically amount to a verification level of "someone who can read email on this domain has requested a cert for it" - which can be, and is, completely automated and therefore available for free.