> And then you need one device which doesn't support WPA2 Enterprise and you have to start improvising.
We already had plans in place for that (we have many such devices, especially those that do not belong to the organization). And the vendors who could not be bothered to implement suport for WPA2/Enterprise, we just don't buy from them.
> Turned out that it was easier to create a separate unsecured WiFi network and pipe everything important over HTTPS.
Sometimes, yes it is (or create a less-secured, WPA2/Personal or WPA1 protected network and go from there)... but if you plan right, you can isolate those cases...