to be fair, the cost of the cert is supposed to cover the cost of validating the identity of the person asking for the cert and then to maintain housekeeping things like security, redundancy of the signing key, revocation list, etc.
the thing that makes the $900 so bad is that all of this work needed to be done for th $300 cert as well, the only difference between the $300 and $900 option is a tag inside the cert. Most cert vendors don't have the two grades anymore.
also, since the export browser restrictions were lifted, there really shouldn't be anyone using an 'export browser' that would act any differently with the two types of certs (when was the last 'export' browser shipped?) If anyone is still using such a browser they have so many security holes that downgrading the encryption to 40 bits is a minor risk.