Possible, yes. Practical, no.
In your list, you've missed the fact that its not just roles that need certs. Each managed client system must have its own unique client auth cert also. This will get very expensive, very quickly and will also be a recurring cost since certs expire. Also,
because they are recurring, you will also face a logistic challenge of renewing the certs on the clients every year. As an example, let's say a client auth cert costs $100/year and you are managing 500 systems; that's $50,000 per year. Now, I honestly have
no idea what a client auth cert costs, but that's not a cost most folks would want to lay every year for something that they can and should do themselves at very little on-going cost.
Yes, a PKI can be bit challenging to set of and maintain -- not because a PKI in and of itself is difficult but because very few people understand PKI and so many people screw it up -- but the customer will be far better off if they bring in a PKI smart
person to set up a robust PKI that will support IBCM as well as other certificate needs they have now and *will* have in the near future.