Paradoxically though if it failed every 1 year then pretty soon maintenance would have to be performed every few months or days or else there would be so many failures it would be really hard to ignore.
This is an interesting argument. Maybe 10 years as a lifespan would be better than 100 years since it'd force checks every year. With the 100 year lifespan, people will always assume it can be done next year instead of this year.
Reminds me of Let's Encrypt issuing 90 day certs instead of 1+ year so that you're forced to find a better automated solution and not have a panic when your cert expires in 5 years
I wonder whether or not that's the global maximum. I still occasionally run into sites that never figured out how to use Let's Encrypt, so they don't encrypt at all.
I personally achieved completely automatic renewals (https://jrock.us/posts/rotating-envoy-certs/) but it involved some work. (It also works so well that I don't even believe it. I have to go manually check from time to time because my monitoring never shows me any errors, and there are so many moving parts that I am continually amazed that everything works perfectly.)
Other people just aren't willing to do that. They like their nginx/Apache sitting on a lonely Linux box that they ssh into once every 5 years. The cost of changing any of that software is high, and they don't have a good system for running new software, like Certbot. We definitely didn't fix that.
