A separate key for updating witness-data would be nice. With this set up, we would need every server to have access to every signing key, which is not ideal. One of the points of separate signing keys is to ensure if one server ever got compromised, witnesses could quickly switch to a different signing key and never use the old one again.
Either way, getting access to a signing key and being able to tweak witness parameters is less dangerous to the individual witness than having access to their active key, so overall applaud the change.
Exactly @lukestokes. And actually, it would be quite useful to have different keys/authorities for different dApps. So instead of creating a special witness key, it would be the smarter way to create a general way of adding 3rd party authorities.