In Keychain you may still have the settings so to ask for password in order to use the certificate AND not having to confirm the use of the certificate for Mail.
Having to confirm Mail to use the certificate each time (without password) is just a nuisance that does not add to security. The way to avoid that is to Add Mail to the Access Control of the certificate so that Mail can use it if you have unlocked and provided the password.
All other applications will have instead to have the password reissued if want to use the certificate.
Again, unless you have set the keychain so to have to issue the password for every signed email there is no added security in confirming Mail to send signed mail. It would be meaningful if denying access would send a regular email but it is not the case: it sends what your recipient would take as a *tampered* email.