There is a middle ground. OS X default configuration only allows software to run if it is signed by a developer, unless you right-click on the application and select "open" through the contextual menu, in which case you are presented with the option to override it.

I like this, and I am a software developer.

(Windows has something like this too. I don't remember the details.)

I hate OS X's implementation. They need to allow third-party CA's.

I don't want to choose between what Apple allows developers to do and "fuck it let it run free and do whatever it likes". Nor do I want the global choice in System Preferences to be between developers that paid $100 to Apple this year and Wild West.

What would prevent malware authors from just signing with their own CA?

Users shouldn't install self-signed root certs unless they trust that root with access to all of their computer.

"all users can install trusted root certificates" doesn't reject the notion of self-signed roots.