Yes, with the due exceptions (IIRC the CA role requires an Enterprise server, and makecert is better known to developers than IT). All of this, including OpenSSL, requires an IT dept that know their stuff, and when a company is pinching pennies enough not to buy a certificate that's certainly not a given.
Enterprise server? Well, it does require 2008 server yes, and web server won't cut it.
But yea, I take your point. Heck I'm rewriting the systems that wrap MS's HTTPS issuance servers and I'm still finding out niggles about X509.