It really depends on what exactly you are talking about. For a Man-in-the-middle attack, your statement is false. For passive dragnet surveillance, your statement is true.
Doesn't really matter, does it? Even if MITM attacks are 99% of all attacks that doesn't leave you any worse of with a self-signed certificate. Better yet you are able to use a root certificate only trusted by most, rather than all, browsers because you secure that much of your traffic (which could easily be the 80+% that runs a modern browser, just not the few virus infected XP machines) which would enable actual innovation among CAs.
What needs to change, in addition to this, is the interstitial warning page for a self-signed certificate needs to go away.
Having a self-signed cert > http.