I would say those claiming certificates from a public CA provide no assurance of authentication of server identity greater than that of a self-signed one would have the burden of proof to show that it is no less likely for an attempted forger to be able to obtain a false "bought" certificate from a public trusted CA that has audited certification practices statement, a certificate improperly issued contrary to their CPS, than to have created a self-issued false self-signed certificate.
Do you ever buy SSL certificates? For cheap certificates ($9 Geotrust, $8 Comodo, free Startcom, all accepted by Gmail), the entirety of the identity validation is to send an email message to an address associated with the domain, typically one of the WHOIS addresses, or hostmaster@domain, and look for a click on an embedded URL. Sometimes they flag names that look particularly funky, such as typos of famous names, but usually they don't. So the only assurance a signed cert provides is that the person who got the cert has some authority over a name that points to the mail client, which need have no connection to any email address used in mail sent from that server. That doesn't sound like "authentication of server identity" to me. R's, John