"Internal" begs the question of key management, which is the whole issue to begin with. At any rate, my claim stands that a self-signed certificate is by nature more secure than a CA-signed one, because it does not require the additional level of trust in the CA.
It's only more secure between two parties that can reliably confirm their identities with each other out of band. A CA, however badly implemented in practice, is more secure by design because the worst case scenario (a subverted CA) is no different from a self-signed certificate from a client perspective.
In terms of what you're focusing on in this thread (verification of identity) I don't disagree. But a MitM attack on coffee shop wifi is a problem which is exacerbated by self signed certificates.
