It's the classic chicken and egg problem. Few sites use them because they correctly believe that the browser configuration is too painful for most people. The browser configuration remains painful because users aren't pressuring browser makers, and they're not pressuring browser makers because they don't use any sites that make such configuration necessary. It won't change until (a) enough sites require client certs despite the painful configuration or (b) browser makers take some initiative to make configuring them less painful. Neither seems very likely.