The passive boxes aren't truly drop-in. You need to extract every single private key that will be used for traffic. This is easier than modifying the software to add logging, but not tremendously easier. Endpoints being numerous, heterogeneous, and difficult to access all apply to existing boxes. And whether the endpoint is up to date doesn't matter to either method.

It's not a big burden to install a MitM box either; most places call it a load balancer.