First, certificates require a password to protect the private key, thus they are still subject to brute-force attack if the attacker can get a copy of the certificate. In a recent attack against clients of a South African bank, the attacker didn't have to brute force the certificate, he merely gained control of the PC, installed a key logger to get the the PIN and password for the user's online bank account and transferred money out. (Chance are that the password was for the account log in rather than the certificate, but the attack works either way.) The requirement for a password for the certificate means that certificates don't eliminate the costs of passwords, so you have some marginal improvement in security with increased costs due to certificate management.
In addition, auditors might not validate self-issued certificates for compliance efforts such as PCI compliance.