Part of the issue is developers imagining a theoretical solution to a wider problem than CORS is trying to solve.

Once you understand that it's onlying to solve problems that happen in a user's compliant browser, and not some wider issue of resource authorisation, it does get a bit easier to understand.

Though in a way CORS seems too simple for what it achieves.