Actually, the key-recovery process is quite useful. The reason is that instead of having your public key be the public key itself, you can use the hash of your public key (ie. Bitcoin address) instead. This cuts the required "public key" length in half for the same level of security. The verification protocol then becomes
Yes, Bitcoin is one exception because of the digested addresses, but if I'm up to date it's not currently used on the network. There's no opcode in the transaction script to perform recovery, so currently you can't reduce transaction size by omitting public keys. I suppose the primary advantage in Bitcoin is the reduced storage space.
It's not currently used on the blockchain, but there's a feature in the Bitcoin client that uses public key recovery in order to sign out-of-band messages with Bitcoin addresses.
def verify(msg,sig,addr): return pubkey_to_address(ecdsa_recover(msg,sig)) == addr
See also: https://github.com/vbuterin/pybitcointools