1. The web page is not the primary entry point for the program; the Debian package is. So I don’t think the “bounce rate” is that large of a problem.
2. CAcert was chosen when the system was used for different purposes, in a different environment, by a different audience, and at a time when Debian shipped browsers with CACert’s root cert included. After that, it’s just been inertia.
3. I quote from the StartSSL F.A.Q.¹: “The Terms and Conditions of StartCom and the StartCom Certification Policy requires subscribers to provide the correct and complete personal details during registration.”. I generally don’t create accounts with external services, and as a sysadmin, I can and do run everything myself.
The canonical link is (https://www.recompile.se/mandos), which currently redirects into our MediaWiki instance.
(Regarding CACert; we are planning to move to Let’s Encrypt whenever they become available, but for now CACert is at least better than self-signed.)