Auth is both simple and hard to get right. It's virtually the same everywhere. One group of people getting it right is better than every company trying to figure it out for themselves. It's exactly the right thing to farm out to a 3rd party.
Only on HN will you be told "you're an idiot if you outsource your auth" and "you're an idiot if you roll your own auth" by the same group of people.
Most people are using something like laravel or rails that has auth scaffolding built in for you, so both outsourcing and rolling your own are obscure dirt road paths that are rarely suggested.
There's a difference though between farming out to a SaaS product like Auth0 and rolling your own. You should absolutely not try and write your own Oauth2 server unless you really, really know what you're doing. But there are a lot of options for self-hosted auth services that are rock solid and battle tested.
Depends on what you mean by maintain. If you use one of the well-supported open source solutions like Keycloak then it is very actively maintained with regular releases, bug fixes, new features (U2F support etc). But of course you need to run your own infrastructure (database, application servers, load balancer, maybe separate infinispan cluster if you want to go wild). If you don't have the operational capacity to do that then maybe a SaaS solution is right for you.
Only on HN will you be told "you're an idiot if you outsource your auth" and "you're an idiot if you roll your own auth" by the same group of people.