I see what you mean, but this just trades one thing for another. On the one hand I could write a script that goes over every host and rsync's everyone's public key to it. You could have a cron job that does this. If you want to set up access control you would have sets of keys and different sets of keys would go to different servers. If you revoke a key you just need to remove it from the set and run whatever mechanism syncs the keys (a script that runs rsync under xargs would let you manage a few thousand servers pretty easily).

Ok compare that to this solution: you still have to define sets of users or certificates. You still have to go edit the configuration on every server to put the correct list of certificates on there, so you are managing the lists just the same. If you find out something needs to be revoked you have to go do that.

What's good: You don't have to go touch the servers in a loop except when changing the ACL setup for the servers. You can avoid having anything that can access the key setup for those servers (not really, you are just pretending this is true, but kindof).

What's bad: You have to buy into their model. You have to go change how you do auth on all the servers. Users can't generate their own keys anymore, which is annoying. Some things that magically work with keys will be hard or impossible to configure with certificates, especially home grown stuff. Whenever inifiwhatever gets hacked you are in serious trouble.