After our conversation yesterday I checked with a colleague of mine. He said that basically all certificate handling should be done via SCEP. SCEP is used during initial certificate exchange and then won't be engaged again until the client needs to rollover (prior to the certificate expiration).
I think that answers the question. Not my area of expertise but I thought the question was interesting.