I'm not aware of arguments that the existence of a self-signed
certificate is a bad thing (introducing any vulnerabilities) in
and of itself, and in fact believe that self-signed certificates
are a conveniently defined and suitable format for storing
public keys for some purposes. Of course, the presence of a key
in such a certificate does nothing to vouch for the validity of
the key's binding with the name in the certificate; for a
self-signed certificate, this trust must be acquired through
out-of-band means.
--jl