I'm no OpsE, but I don't quite understand the problem with subdomain maintenance, assuming that you are set up as a CA. I know my previous post arguing that everyone should be a CA had a mixed voting response, but this is precisely the class of thing that can and should be automated into oblivion. With your own CA, you can issue and revoke subdomain certs at will. If someone, somewhere, is on the hook to assert the continuing need for each subdomain in the business, then if they fail to assert, the automated process to remove the domain begins. (Warning email to them and their supervisor, wait X days...)
Yes, this is work to set up, but magnitudes less than cleaning up after a hijacking.