I run DNSSEC (to facilitate DANE) and with regards to DNSSEC I haven't had to manually edit my zones in years either. Unlike yourself I don't consider DNSSEC deployment or ZSK rotation / KSK roll-over scary or complex, and seeing an adept technician dole out warnings on the level of "don't run with scissors" is pretty peculiar.
HTTPS also has expiring keys that also need to be rotated. Most people outsource this to a service provider for them - as is the case with DNS. It's weird how people gripe about standard cryptography/PKI when it comes to DNSSEC but not HTTPS.