That assurance of identity, rather than a huge encryption key, is what's in the second box locked with a CA's public key.
As the DigiNoTar incident(s) have demonstrated, the system does NOT prevent MITM attacks if a top-level CA is breached. However, so far the number of such detected breaches has remained quite small; small enough that the system still is believed to be viable. That can always change, of course.
So long as greedy humans exist, they will find ways to prey on others. Members of our species, history tells us, are predators by nature, and prey on their fellows as well as other species. A perfect system is impossible to achieve; we have to work with the best we can do even if it's not as good as we would like.
EDIT: Yes, CAs are a bit costly. I've never used one for exactly that reason. However they do work for firms that I do business with, such as my bank or the utility companies that I pay through their web sites. Few of us are really concerned about such matters when it comes to visiting forums, or casual Email contacts...