The fact the browsers stopped recognizing this is political, not based on any reality of sense. Everyone appeals to authority what the best way to do TLS is, and the problem is the authority is stupid.
It can't. Nothing is guaranteeing that organization names are globally unique, so getting an EV cert for a conflicting org name will always be possible. Well-known counterexamples are Apple (Beatles or tech company?), Nissan (computer repair guy, or car maker?), and Microsoft/MikeRoweSoft (some guy named Mike Rowe, or software giant from Redmond?).
Unless you're willing to retroactively cancel a massive number of trademarks, EVs with human-readable company names are not going to happen. The best you can do is some kind of unique company id, but who's going to check that "US0378331005" is the right one?
My suspicion is that corporations in general don‘t handle tasks well that need to follow an exact timeline and can‘t be postponed by a week or two.
Companies are generally able to develop a workable process around regularly-scheduled tasks. If you can't, you'll quickly run into trouble due to late salary payouts or missed tax filing deadlines. They'll rapidly accumulate a thick layer of bureaucracy around it, but as long as it gets exercised regularly it'll remain more-or-less functional.
Try the same with PKI and you'll run into massive issues during mass revocation events. Having a renewal process which takes 2 months and involves dozens of stakeholders is totally fine for a cert which gets renewed every 12 months on a well-known date - but not when you're working with a 72-hour deadline...
Yeah - I have almost never seen any corporate or government environment actually take a "forward-thinking" approach to any of the above...
Automated certificate renewal is maybe supported by 10% of services I operate where I work. And we're pretty modern. An organization with more legacy platforms is likely at "nothing supports automated renewal".
We are a decade or two out from 47 day expiry being a sane concept.
With a 47-day validity already on the calendar for 2029, nobody in their right mind is going to onboard a new service/device without automated renewal in 2026. Same with any kind of contract renewal: are you going to risk staying with the current vendor who is "considering" supporting ACME "at some point in the future", or would you rather ask their competitor who already supports it to make you a nice deal to convince your manager?
Sure, automated cert renewal might be supported by 10% of services right now, but what is that going to look like a couple of years from now when 100% of businesses are pestering their vendors for it, and leaving for competitors if they can't deliver?
To make things easy they usually all use different cert formats as well, requiring you to have an arsenal of conversion scripts ready.
In this case, “custom” means firewalls made by pretty much any of the major vendors.
Cisco, Juniper, Fortinet and Palo Alto have a lot to answer for with their laziness. Cisco and Fortinet added support only recently. Palo and Juniper haven’t bothered at all.
But yeah a lot of Windows server software uses inbuilt web servers with no ability to tweak or tamper beyond what the application exposes in its own settings panel.
I work in a multinational nightmare corp, we still have a mission critical Win95 machine.