Re: I think the real reason PGP succeeded...
Actually you're paying for the private key and the certificate that encapsulates the public key which is signed by another key or by the private key. But for brevity I said key.
If your CA is generating your key pair, You're Doing It Wrong. You should be generating the key pair and sending a CSR to the CA. The CA should never have possession of the private key.
And you don't have to pay for a certificate, either. If you're using a self-signed certificate (which I assume is what you meant by "the certificate ... is signed .. by the private key"), then there certainly shouldn't be any CA involved, and so no charge. Even if you have a CA-issued certificate, there isn't inherently any cost; if you're paying, it's for the privilege of participating in the CA's PKI. There are S/MIME deployments within organizations and consortia that manage their own PKI and thus have no reason to charge.
Indeed, there's no reason why a bunch of people can't cooperate on a PKI, which makes this aspect of S/MIME exactly equivalent to PGP's Web of Trust, in the simple model. And, in fact, PKIX allows other types of PKI graphs, so it's more flexible than the PGP Web of Trust PKI.
PGP is important for many reasons, and the Web of Trust PKI, while it has huge problems with scaling and sparse graphs, works for many purposes under many reasonable threat models. But S/MIME's use of PKIX trivially degrades to be functionally identical to the WoT, while offering a variety of alternatives to handle other use cases. This is a false distinction.
Conversely, there are many things wrong with PKIX, starting with the many (many) things wrong with X.509. But this isn't one of them. You're complaining about a particular use case which isn't even available with the WoT (even as augmented by keyservers, which are problematic in themselves). Apples and oranges.