But why is a "self-signed" key "not trusted?"
If you're talking about com.apple.systemdefault, on my machine (running 10.8.2), it doesn't say that certificate is not trusted. It says "This certificate has not been verified by a third party."
Which is true.
But that doesn't mean it's not trusted. It's trusted on your machine, because it's on your machine, in your keychain, and marked there as trusted. It will not be trusted on any other machine.
Had it been signed by another certificate (and not revoked) it would be accepted on any other machine that accepted the signing certificate. But that's not what it's for. It's for saying "I made this signature, so I trust it, but I don't expect anyone else to."
I don't know what the deal is with Dashboard Advisory. I know what it's for, but I don't know why Apple didn't either put it in System Roots or sign it with something that is (like Apple Root CA).
If you're asking about self-signed certificates in general, they're born untrusted (because anyone can make one), and become trusted by explicit action. One way for a root certificate to become trusted is to be included in the System Roots keychain, which Apple populates as part of system installation. The chain of trust starts with Apple investigating the issuer, and deciding that they're a legitimate Certificate Authority (CA); and then you trust Apple by running their installer.
The other way to become trusted is through explicit interaction. For example, you can open a certificate and change the trust setting to "Always Trust". Or the System Installer can create the self-signed certificate and explicitly mark it trusted. Either way, such trust is established only in that keychain.
A non-root certificate (that is, one that is not self-signed) is valid if its signature can be verified by the signing certificate, if that can be found and is itself valid.
Any certificate, self-signed or not, can expire and/or be revoked. An expired certificate can still be marked trusted, overriding the expiration.
