Comment by infogulch

Yeah the auditing, logging, and security requirements seem to be the main blockers.

But practically I don't see a difference between a name constrained CA with a 90 day life and a wildcard cert with a 90 day life from the perspective of the requirements listed above. There are only benefits, because now you can scope down each service to a cert that is only valid for that service.