Yes, the PKI is centralised. And yes, I agree, this is bad.
IMHO, leaving your website insecure is worst. You could have a selfsigned certificate, but I think it is also really bad. The thing is that we deal with users that don't really understand what's going on. So we have to do our best to protect them. You can't assume that they'll know that their password will be insecure, and everybody online will know what pages they were visiting, just because there was no https.
Unfortunately, I don't have anything to offer to workaround the fact that https is centralised. I know it's tough, but that's life If you know some alternatives, I'd be interested