Weighing in because I breathed a heavy sigh of relief when I remembered we were using ESXi 5.1 (which used ye olde OpenSSL 0.9.8) - all of the traffic between the various VMware nodes and subsystems is governed by TLS with subsequent SSL certs. Generating the requests and the certs for all of these took a helluva long time; I was the poor sod who did it before they brought out their semi-automatic cert request generator (which still had to be manually submitted to the CA one by one). My doco on the process comprises about 1500 words (not including things like file locations and config values) and about 50 screenshots.
So it's not so much the pain of having things break that many admins will be worried about - it'll be revoking and replacing all those bloody certs across the entire infrastructure which will involve making the services unavailable for the duration. From what I've read about there's still no fully automated method in ESXi 5.5; whilst it might not be as hairy as 5.1 (and TBH it still looks like it is) it'll still take a looong time.
Start reading here http://www.derekseaman.com/2013/10/vsphere-5-5-install-pt-5-ssl-deep.html if you want to see how painful the SSL process is, and then remember that there's plenty of places that aren't allowed to use third-party scripting to do this either and must only use vendor-supplied tools.