I don't think it's realistic to expect people to check certificates before giving out sensitive data (or ever, really). And since that's the case, having encryption-but-not-really seems worse to me than encryption-only-if-it's-secure. The average person won't understand the distinction, and will assume encryption=safe. Since the user can't be expected to check the certificate's authenticity, the CA steps in to fill this role.
If you give your POP3 or FTP password over a self-signed SSL connection, you might as well send it over plain text. It's not a whole lot harder for somebody in the middle to read, unless you're checking the signature out-of-band. Which you're not.
The general consensus in the encryption community is that bad encryption is worse than no encryption, and I think they're right. On the surface, it is marginally "better" than cleartext, but in the real world it changes people's behavior and makes life much easier for the bad guys.
Your point about spoofed URLs and such is correct, but that's a different problem.