Having short-lived certificates is good, replacing them too often is not. This is implemented trivially for single-host deployments which just run certbot or ACME each subdomains. But for sophisticated setups where a certificate for a domain (or multiple domains or a wildcard) must be shared across fleet of hosts, it is a burden.

There are no ready-made tools available to automate such deployments. Especially if a certificate must be the same for each of the hosts, fingerprint included. Having a single, authoritative certificate for a domain and its wildcard subdomains deployed everywhere is much simpler to monitor. It does not expose internal subdomains in certificate transparency logs.

Unfortunately, organizations (persons) involved in decisions, do not provide such tools in advance.

I agree. There should be a process in place for checking if changes are ready to be rolled out, and one of the checks should be a working prototype implementation, that is open source, that shows that running your systems can still be managed.