you are unable to protect against MitM and other forgery attacks
Uhh, using a self signed cert doesn’t mean you just accept any old cert… Not every cert is designed for serving content to a browser. You do SSL mutual auth between services using self signed certs
Basically with self signed certs, you control the ENTIRE trust chain. When you use existing CAs, any bad actor in any of those CAs can generate certs that you would end up trusting. So it’s less secure because you have to trust a lot more people.
I didn’t say anything that disagrees with this. CAs are nice and convenient. They do this by expanding the chain of trust to a lot more people, hence making them less secure.
Sure if you can’t securely manage your cert, that’s a problem. But that doesn’t mean let’s less secure