So, with the third party out of the equation, how does one know that the security certificate you receive from random-site.com is the one that random-site.com intended you to receive? This is where going to two entity encryption fails, because the web has no inbuilt ability to verify the communication with the website is as secure as intended without going to a third party.
Just allowing self signed certs won't solve anything, because most people who use the web won't bother with any independent verification (which you would have to do offline or on a different internet connection for it to mean anything anyway) - fuck, do you remember how long it took to beat "look for the padlock symbol" into people in the first place? All it will do is what people have been bitching about for similar other approaches for years now - people will get so many pop ups, they will stop caring and just click OK.
The CA system isn't the best solution in the world, but its better than most suggestions, including allowing self signed certs for general communication.