Hm, I can fully agree. An internal CA doesn’t improve security but it doesn’t reduce security as well. It’s just as secure as a CA signed by a commonly accepted master CA.
And that’s my point: You get no benefit from using certificates signed by a company CA. The only thing you get are potential problems because the certificates might be built with different options.
I’m purely talking about backend communication and that’s what the Icinga internal CA is for. You don’t use it for Webinterfaces, only for the API.
If you want to use internal certificates for Icinga Web 2 (what I wouldn’t suggest) you definitely should make sure to have the CA certificate put into users trust stores automatically. I’m totally on your side that telling users to accept the CA certificate is very bad practice.
Side note: I’ve seen people checking every single fingerprint before accepting a connection. At customer sites I’m not allowed to talk about. 
But it really does happen.