I'd say it's relatively easy to make one that “does the right while also also the wrong things”. By wrong things I mean things that make it complicated enough to turn it insecure.

The advantage of third-party tools is that it's hard to get new features in there, so they retain their simplicity. You don't get some rando C-Level or IT guy demanding new auth features to make it messy.