It is combination of two things. X.509 is arguably overly complex ASN.1/X.500 thing, but that is not the main issue.

Main issue is that most people do not even grasp the concept of a certificate (ie. binding of public key to some additional information that is signed by some other entity).