CatalinF, yes, I agree with you on the EEM front (for me it has been more like 20+ years), in particular with the multi-domain (one of the advantages of heading to EEM 12.5, the other being HA failover of EEM).
However, these days everyone has a MS AD setup of sorts. Therefore, not having to deploy an extra server for EEM means that you reduce the management overhead of needing one (or more if doing HA).
The other question that needs to be asked is the size of the deployment. For a small/medium deployment, requiring an EEM box is less and less these days. Also, there are only about two CA products that actually really need EEM these days - CA SOI being the main one (though I think that this is slowly changing). The main requirement for CA EEM was always for the combined "fake" SSO between Spectrum and eHealth. Since eHealth is going away, there is a move to use pure LDAP links.
Therefore, the standard recommendation we have is to use LDAP (including for answering the question from the original post about password management).