They are, but they're not included in various browsers for various reasons -- so they are "legit", but they are not easy to use for use-cases where you don't have a modicum of control over clients (can install, or ask clients to install, cacert root keys).
Please don't suggest that cacert is much less secure than trusting a handful of government CAs by default (or even much less secure than certain commercial CAs).
Cacert isn't perfect, but it is an interesting and important project. It's a pity Debian ended up stripping cacert IMNHO. Anyway, it is healthy to be sceptical, for some more info, see eg:
