The risk lies in how effective the defenses protecting the hosts in question are, including the network connection between them. Given that weaknesses and exploits are being found all the time, it is reasonable to say there could be issues with self-signed certificates used in a production environment – which includes hosts in a DMZ.

Here’s the reason: man-in-the-middle. In short, if either host – or the network between them – becomes compromised, then the traffic between them will still be encrypted, but because the certificate is self-signed, a man-in-the-middle (aka “MITM”) would be able to introduce a transparent proxy using a self-signed cert, which will be trusted by both sides.

If instead your hosts use a public CA, then the MITM approach cannot work.

If the annual $15-50 investment per host is more costly than the information on and between them – including what could be on them (e.g., compromised, serving malware), then the choice is simple: don’t worry about buying certs. Otherwise, it’s important to look into them.

The comment by Adam Hupp on this webpage provides a good, simple scenario:

http://www.vedetta.com/self-signed-ssl-certificates-vs-commercial-ssl-certificates-how-mozilla-is-killing-self-signed-certificates

And here’s a more fleshed out description of the risk:
http://blog.ivanristic.com/2008/07/vast-numbers-of.html

And finally a balanced look at the two scenarios, though this article only considers self-signed OK when there is a fully-functional, properly protected and implemented Certificate Authority server installed:
http://www.networkworld.com/news/tech/2012/021512-ssl-certificates-256189.html