I think you've left out the ecosystem of semi-scam, without that the decisions look less logical.. If you go and add a private rootCA to all your servers there are risks. You can convince yourself the risks are covered, you can convince a highly qualified security analyst. Can you convince a business intern with a checklist hired by a certification firm that underbid the one with specialists? 30K to engage with no one on the topic starts to look ideal.

I'm not sure the alternative is sef-created RootCA. (But perhaps I don't understand the underlying case.)

To me, the alternative is just a LE cert. Can do wildcards via DNS challenge.