ntlm is still used every day in WiFi authentication. PEAP authentication is MS-CHAP over TLS over EAP. And the only way for non-MS products to authenticate to Active Directory is via Samba and ntlm.
Things would arguably be more secure if MS allowed for AD to export the password hashes to other systems. Querying for an NT hash via LDAP over TLS has essentially zero security problems. (Other than the NT hash itself)
You can take a clear-text password and authenticate it to AD via kerberos.
If you have MS-CHAP data, you can't convert it to something which will be accepted by kerberos. You MUST send it to AD as MS-CHAP data (i.e. ntlm), and then AD returns "pass / fail"
Things would arguably be more secure if MS allowed for AD to export the password hashes to other systems. Querying for an NT hash via LDAP over TLS has essentially zero security problems. (Other than the NT hash itself)