The current version requires a signed cert yes. Whether that's difficult or not depends on the policies of the cert authorities. Ultimately all they have to do is verify an email address by sending it a clickable link, which is why StartSSL do it for free. Probably they aren't optimised for usability, but there's no technical reason why one couldn't be. It's a competitive market, after all.
There's also the option of extending the payment protocol to support other forms of PKI. But from a technical perspective the X.509 PKI is fine. Someone can always set up their own CA for the Bitcoin community and convince wallet developers to include their root cert, after all.