As far as I've observed, it's enough to have the CA certificate present in server's keystore. It's not necessary to impoert all possible client certificates. That's what PKI is for.
So if you set up proper PKI, the issue is non existent.
On the other hand, if you don't have PKI and use self-signed client certificates, what good is such security?
If the server would trust any arbitrary certificate that the client would send in, then that wouldn't prove the identity od the sender in any way and beat the purpose of the whole signing mechanism.
The encryption mechanism's purpose would be beaten too, as a consequence of the fact that if you accept any certificate without validation, an attacker can mount man-in-the middle attacks against the encryption securement, so then the encryption doesn't offer any added security either.
So Robert, what you propose would effectively be not more secure than simply using no WS-Security whatsoever at all.
But it would be much more complex and require much more work to develop and maintain for a security layer which doesn't do its job.