[xoa]

Another second order factor is that precisely because the GUI just puts it all out there visually, it creates encouragement to start imagining what can be eliminated/automated, or at least shoved behind "advanced options (rarely needed)". What can be sane modern defaults vs reinventing the wheel each time. There are a ton of options in OpenSSL almost nobody should ever use in 2022 including some genuine footguns. Without discipline, CLIs are easy to just keep adding to, and scripting may well encourage that in the typical nature of creating a dependent ecosystem that discourages breakage. Not that there can't be really bad ginormous GUIs too but minimalism has a bit more human psychology behind it there.

Of course, for precisely that reason there are lots and lots of examples (particularly under "modern" "clean/flat" design tastes) that go to the opposite extreme and remove too much, get too information light and hide or eliminate stuff that's genuinely very important. But in the specific context of security software at least the current best practices thinking is that the fewer knobs and dials the better. A huge amount is purely legacy from when there were many more tradeoffs to be made in available compute power/memory vs security, but that fell away long ago in settings that would make use of complex CAs anyway vs something simpler. Not that simple CLI/text configs can't be easy too, look at WireGuard.

This topic strikes a little close to home right now too since I just went through an incredibly frustrating period of trying to put together some internal CAs with modern best practices (like name constraints) and it was quite the maze to get through. And having done it (or at least Good Enough) it definitely didn't need to be that hard. Ah well. Although then again, my experience also highlights to the perils of GUIs at the same time: I would have just used something like the built-in web gui CA generator on OPNsense, except it's so simple it lacks name constraints. Which then led me back into the red in tooth and claw world of openssl and ca config files. So there's the binary of both, an over simplistic GUI and an over complex CLI. Perhaps there are better tools bridging that gap but my searching failed :(.