Yes Lets Encrypt does allow you to create wildcards.
Yes you can cron a renewal using the script.
Trouble is. The platforms. Take Proxmox for instance. To change it's certificate just for it's web-interface, not it's inter-cluster coms cert, you have to either use it's LetEncrypt "ACME" API, the console or the webinterface. The cert has to be registered and distributed by the cluster. Aka a bespoke install. In most cases convincing these types to use wildcards is fiddly or in the case of proxmox, impossible. Thus you need 1 cert per node for the HTTPS and another cert for the cluster coms. Several different console commands and web UI to update those.
Then there is apache and ngnix which have additional steps after LE completes.
Then, where the pain starts to build, you have "containerised" appliances like GitLab-CE, Docker-Registry, GitLabRunners.... all of which are docker containers built in docker containers running in docker containers. If you want to place a self signed or LE cert into that setup, you have to basically rework all the docker files, docker-compose and kubernetes deployment scripts to "map" in the ca-cert for their "intra-service" communications to work.
So many of these platforms today not only expect you to be running in a cloud behind a "borrowed auto-gen cert", such as via AWS Certificate Manager, but will not work without a public CA trust anchor. In the case of GitLab, trying to get all of the components to trust a self generated ca trust cert is an absolutely nightmare which basically have to start from step ONE of building the environment and customisations added at every step!
If it was a simple matter of running a cronjob to regenerate the cert per-hostname every 90 days and maybe a few copy/rsyncs and a few service restarts... I'd be all over it.
The main issue is that I don't have 25 instances of a platform base OS. I have 25 instances of a wide range of different services and almost ALL of them have some particular config or setup to accept/renew/update their certificate. Some want the partial chain, some want the full chain, some want a crt, some want a pem.
Some of them want a cert they can use to SIGN CSRs dynamically (if you really want to use SSL within a dynamic container platofrm like K8S this is the preferred approach. The vast majority of people just avoid it at all costs and setup HTTP inside the cluster and ban HTTPS to the edge nodes/load balancers. This works for software development in enterprise, but when you are deploying 3rd party and open source "infrastructure" type stuff you can't control all of them that easily and .. as above.. they have a wide disparity of mechanisms for installing and updating certs.
Oh... and LE in my case can be done with DNS auth, however, that means that ALL of the hostnames I want to secure with LE have to be in public DNS.
tldr; renewing the cert if only 10% the problem.