I'm not sure I see why it was revoking the certificates, when you renew a certificate that's about to expire you can just let the old one expire, right?
I'd say that more often than not people building this sort of stuff in-house have no idea what they're doing. So although that part of the design doesn't make much sense it's not astonishing to see it.
A PKI provides a deeply technical solution to a hard problem you probably don't have. This technology is most often deployed when somebody has a different, easy problem, but they don't like the relatively easy non-technical solution.
This can go back to your old buddy NTP, specifically DHCP assigning this on untrusted networks. If you control the network (time?) and you manage to get the full expired certificate you may be able to MITM the victim successfully. If you force the CRL check first then things won't match up. I have no ideas on the feasibility of faking the CRL though, so it might be a wash.
Seems like it’d be fairly difficult in practice to change time on a host such that you can use an expired certificate without breaking a bunch of other stuff
A PKI provides a deeply technical solution to a hard problem you probably don't have. This technology is most often deployed when somebody has a different, easy problem, but they don't like the relatively easy non-technical solution.