So an addon can override certificate security warnings, how wonderful, did MS at any point advise the mozilla people on design?

I should hope people skip over self signed certificates, they're as reliable as as asking me what my name is! (on a Friday night, just after the pub has closed!).

A self-signed certificate is one which is signed by that same certificate. It can be generated by anyone at any time (with access to appropriate software). Cheap? Try free.

Root certificates are self-signed because they have no-one else to be signed by. Self-signing does at least assure that none of the other details have been modified by someone else. However, I could easily generate a self-signed certificate claiming that I was Google and using other attacks, intercept traffic for GMail and persuade people to log in to my server with their account details. That is, if the browser didn't warn users that my claim wasn't corroborated by anyone else.

SSL certificates cost money simply because someone is checking that you are who you say you are. This ranges from checking that the person applying is one of the contacts in Whois for the domain, up to full Companies House checks. It's not flawless - VeriSign issued some code-signing certificates in Microsoft's name to an attacker at one stage - but gives some reassurance.

There's nothing stopping alternate CAs setting up in business to issue SSL certificates, but not being on the default list of root CAs means that you have to persuade visitors to install and trust your root certificate so they can then trust all the certificates you've signed.