Correct, but if you make the warnings more severe than warranted, users pay less heed to warnings generally. If the user never received a browser security warning before in their life, the first time will make them think twice. If they've seen them before and wound up going ahead and nothing bad happened, they'll come to ignore them.
Honesty might not always be the best policy, but the current policy is certainly bad. In real life we know that certain types of cert errors are much more likely to be innocuous than others -- like a cert for "www.amazon.com" on "amazon.com", vs. a large banking site using a self-signed cert. A lot of this knowledge could be wired into the browser, and the warnings could be adjusted accordingly. Attackers will realistically target mostly large e-commerce or banking sites, where they can see easy gains, so getting a list of those and stepping up the warnings there while scaling back for others would greatly increase warning accuracy.
I'm hopeful that STS will mostly solve the problem, by giving an out-of-band automated way to get a list of sites that really want to commit to using valid certs always. (Out-of-band because the real value will be when lists ship with the browser and auto-update.) In that case, non-STS sites can have their warnings greatly moderated, ideally notification bars instead of interstitials. But the existing problem is real, and could have been mitigated by the browser implementers by deploying fairly simple heuristics long before now -- when instead some have been making it worse.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds