I agree. And while I'm probably wrong, my impression is that so much of the parts of identity AD handles directly is simple these days. What's difficult is IT departments are used to AD.
I think that's something slightly different. I'm not saying AD would be easy to replace in an existing org, with existing software. I'm saying the job it does for most orgs seems fairly basic (i.e. be the system of record for users and groups, which map on to OIDC users/groups in individual apps for all the day to day permissions work).
