This is mostly the fault of the SSL certificate providers, which vary in complexity between the obnoxious GoDaddy and even more obtuse and impossible to deal with.
Compounding this, the configuration file formats for each web server platform vary wildly, selecting the correct format and installing it properly can be tricky.
Making matters worse, it's very easy to set up something that looks like it's working, but is actually broken on some subset of the browsers out there.
These problems can be solved with better standards, better documentation, testing tools, and most of all, providers that actually care about the user experience they're selling.
It's not that they need to be open-source or not, it's that their user interface is absolutely awful.
You can set up your own CA but you can't sign for domains unless you're in the proper chain. The ones holding the keys for these are the big providers.
Compounding this, the configuration file formats for each web server platform vary wildly, selecting the correct format and installing it properly can be tricky.
Making matters worse, it's very easy to set up something that looks like it's working, but is actually broken on some subset of the browsers out there.
These problems can be solved with better standards, better documentation, testing tools, and most of all, providers that actually care about the user experience they're selling.