I might not disagree with you there.

However, for all its warts, x509 due to hardware implementations, seems a great deal more secure than sitting on the FS SSH host certificates.

OpenSSH supports FIDO keys since 8.2p1 and has supported smart cards via GPG longer.

Yeah. Actually ssh agent speaks PKCS#11 (both client and server) so it's possible to interface with the hardware token quite easily. I'm using that to store my client key in TPM for example.