It really is. Why do we should trust short-lived certs which might have been issued under shady circumstances like BGP hijack hour ago? How shorter validity terms protect against attack which takes days at most? Why they are so sure rotated key will not be stolen as well if it was before? How they ensure specific public/private pair were not already used before? Do they actually check it?

This is a security theater and I think it's intended to make TLS maintenance unbearable for non-IT businesses and to push them to cloud hosting providers like Google Cloud and Cloudflare.

Also latest drafts of TLS ESNI/ECH feature were written by Cloudflare for Cloudflare's needs.