I tend to disagree with your statement "The changes are not overtly drastic, if you use an internal private/enterprise CA (commonly known as an internal public key infrastructure, or PKI)."  Having worked with numerous customers having to get a private certificate onto non-domain joined machines, iPads, Windows Phones, etc drives up the operating cost of managing Lync dramatically.  Microsoft really needs to start investigating a way to deploy public certificates for Lync for AD domains that used non-approved TLD's.