I think your 2nd/3rd lend favour towards "don't roll your own auth" - it's hard and more often than not there will be buggy implementations. People aren't good at crypto and they aren't good at authentication workflows either, when an application starts to scale it becomes a liability.
Building auth is hard, but so is properly integrating with external auth providers. You'll be surprised how many applications you'll find online that accept unsigned JWT tokens because many people don't know they need to turn those off. You also need to cater to the specifics of your auth solution (i.e. how to prevent spoofing, how it deals with brute force attempts, how to set up the proper session lengths). You end up learning about things like "OAuth 2 scopes" and other fun terminology that will have you become an expert in the specific auth solution you've chosen before you can reliably roll it out.
I'd guess that for most platforms that work with a simple username and password, rolling your own auth is probably a lot cheaper and easier. With 2FA this becomes trickier to pull off, but depending on your platform you may be able to build it in the same time it takes to properly configure, style, test, and document an external auth setup.
