Not to run, just to keep running long-term. If Let’s Encrypt exploded you would have less than 30 days to get it running again. But that’s not such a short time.
Nope. https, hybrid crypto and pub->free CA's are the largest backdoor into internet traffic ever (accidentally) devised. The standardization on https for everything (including alt app protocols (dns,etc...)) is very apparently an info grab.
Sym crypto is the only answer (Schneier,DJB) people have been trumpeting this for years.
If I connect to a server via https and see it's certificate, I am confident that my communication is secure between me and the server hosting that certificate.
To validate the person holding that certificate is who they claim to be, how can I do that? By either getting their certificate out of band (impractical), or trusting an intermediate.
Lets encrypt doesn't make it any easier or harder to get an invalid certificate.
Now if the server wants me to authenticate, https has that built in. I can present my own client certificate, and if it's signed by somewhere the server trusts, it knows who I am. But how would a random server authenticate who I am? I'd personally rather use certificates or ssh keys or similar than usernames and passwords, but that's too complex for the average person.
Clearly I could have lost control over the key to my certificate, or the server could have lost theirs, there's not much you can do about that, no matter what type of authentication system you use.