It was common to set up your own CA at one point, especially when DNS management was more manual, However it presented a huge attack surface and was challenging to manage.

A compromised private CA can lead to widespread breaches, affecting various systems and applications that rely on its certificates.

The CAB forum working groups being explicitly prohibited from working on private networks (at least historically) and market incentives also produced a situation where you can't really reduce the blast radius.

ECS1 attacks on AD CS is probably the best publicly documented case for further research.

The happy path is often manageable, but still complex, bland any mistake will result in huge risks.