It's a pain in the arse for everyone involved. Adding another management layer to the stack isn't my idea of maintainability, and I'm inclined to agree with you on your point that it introduces a new set of problems.

TLS client certs are nice if everyone knows what they're doing, but in a lot of orgs that just isn't the case.