IMO, that's probably a key point. The fact that LWN.net needs to pay for that is a bug. (Is it in Fozilla's bugzilla at least?)
Maybe what's reasonable to do is to convince browsers's developers that nowadays certificates issued by some CAs are less reliable than even some self-signed ones. If they really care about HTTP security (and I am pretty sure they do), they must support self-signed as much as CAs. With all their support for modules updates, why not go wild and implement efficient (final) certificates packages distribution in the brower?
I propose to use a rainbow color gradient as the indication for such self-relying sites (as in pick your own trust level ;-).
If other organizational-level constraints impose you to use a commercial certificate (I suspect it may be that), then let's build on these problem to that these constraints are not legitimate.
As a side note, I am gonna give a short course in security this afternoon (university level). I've done that regularly on a short period for the last decade. The audience is pretty technical (most of them will be embedded systems developpers or network administrators in the short term).
I noted something amusing on that 10 years period: around 2002-2004 most students knew what certificates were (a security-related item, where to look in the browser, sometime the RSA public key thing). As years passed, they knew less and less about that. Last year and especially this year: they did not even know about certificates existence. At this level of engineering education, that's astounding.
When I spoke about certificates, I got a few answers: about "SSH certificates"!