“Stop managing authorized_keys files. SSH supports proper certificate-based authentication and almost nobody uses it.”
Every shop running SSH at scale eventually rebuilds some half-baked key distribution system because the documented-but-ignored alternative requires twenty minutes of reading. Mens lays out the actual workflow. Sign user keys with a CA, set the trusted CA on the server, you are done. The reason this is not the default is the same reason any obviously better thing is not the default: the existing thing is just functional enough to coast on.