Where it all breaks down though is you need to get a public key from a trusted source.
For instance with SSL it works.
A)You ask for example.com and get 244.244.244.244 as the DNS result.
B)244.244.244.244 responds and presents a certificate (public key) for example.com
C)You check the certificate for example.com is legit by verification of a signature done with a 3rd party private key and check that with a public key you already have (root CA list). You can now trust 244.244.244.244's claim to be example.com and use that public key to decipher message sent to you with its private key. (which you will use to exchange a symmetric key, but that's getting off topic).
The problem with your example above with e-mail is that Bob has no way to authenticate the original message from Alice. He can't know that the public key he has been sent really from Alice and not his wife spoofing Alice's address because she suspects Alice is a mistress. Bob is how we say 'screwed'.
The only way it can work is if someone counter signs for Alice that Bob already trusts. With SSL and the 3rd party CA system its do able because Companies only have so many Web servers they are willing to pay Verisign or GeoTrust to essentially act as a notary. They won't do this for every employee that wants to send mail, the general public can't be arsed to do it either. So the CA model does not work.
Hence we have the web of trust model. This depends on your belief that most people in that web are responsible about who they 'trust' as authentic sources of keys. It assumes that most senders properly guard their private keys, or even understand they need to guard them and against what. There is zero evidence to suggest the general public has this understanding or capability.
Then there is the problem of web mail. If everyone is just going to hand Google (I am picking on them because of the popularity of GMail) their private keys we are ONE breach away from the entire system crashing down. If you implement some kind of client side encryption with javascript we ware still ONE breach away, someone gets in and replaces the javascript with a malicious one, your client trusts it because well it came from Google's server. It also makes webmail inherently unportable because you have to bring your key with you and what enter it into every untrusted systems all the time?
The GP is right, the problem is key management.