> How is it any different? You install the hash of the boot loader when you issue the machine, then use the trusted system to update the hash if necessary.
With your private CA you can skip the "update the hash" part, removing a crucial step that one might forget in a hurry or that simply might go wrong because of whatever sort of bug or power outage... and brick thousands of machines as a result.
The "update hash" part is the counterpart to the "sign the binary" part, so if you forget to do it you're going to have problems either way. Also, this is the sort of thing that large organizations would have automated tooling to do anyway.
With your private CA you can skip the "update the hash" part, removing a crucial step that one might forget in a hurry or that simply might go wrong because of whatever sort of bug or power outage... and brick thousands of machines as a result.