yes, but this is not true for digest auth. there are actually very few client environments that fully support digest out of the box.
so i would say, this argument doesn't count as digest is not any less complicated to use then any other more sophisticated auth mechanism.
I agree to the TLS argument: for most other auth mechanisms i looked at it seems to be requirement indeed.
But can you elaborate why we cannot ship certificates (out of the box) that need to be replaced in production environments?
this would give us TLS and push the need to custom certificate creation beyond the out-of-the-box scenario.
The next issue is that by using standard HTTP authentication mechanisms standard APIs can be used in many programming languages to actually call the management interface without needing to know about alternative authentication schemes.