Can someone explain why people struggle with CORS?

The full strength of the SOP applies by default. CORS is an insecurity feature that relaxes the SOP. Unless you need to relax the SOP, you shouldn't be enabling CORS, meaning you shouldn't be sending an Access-Control-Allow-Origin header at all.

If your front-end at www.example.com makes calls to api.example.com, then it's simple enough to just add www.example.com to CORS.