On the other hand, if you run your own CA and mostly care about your own users - using a cert signed by your own CA makes sense - to a certain extent.
So TLS (X.509) only allows serving a single certificate. You have to choose to serve one trusted by people you need not to be hacked (your own CA) or a commercial one to reduce in general the likelihood of being hacked. I can see why they chose the first option.
Obviously if websites were not signed by one of the 'root trust' paths but by several, and the reputation of each of those trust paths, and the host itself, was tracked in a decentralised secure database where trust was built over time, that would be better.
Oops, I just suggested blockchain snake oil would solve something.