It's even worse, a fake certificate from a man in the middle causes a trustworthy warning! If a certificate is not co-signed by any of the Browser compiled-in authorities, the Browsers will just ask: "...do you want to trust <company>". The hacker is completely free to fill in <company> when he creates his own certificate on the server side (using plain openssl). This will be the only popup as the fake certificate will match the faked URL.
Did M$ expect people to say "no" to the fake question "Do you want to trust Citibank" when they are in fact trying to connect to the real Citibank site?
The default behavior of a browser should be to reject unsigned certificates and not even ask the question. Currently, there is even no warning that <company> was learned from an unsigned certificate.
/Martin
(disclaimer... does not necessarily reflect the opinion of my employer...)