I'd imagine it's less about setup complexity and more about reducing the attack surface of the main domain where any number of mistakes on the subdomain could expose a vulnerability for the main domain as well.