Running a subCA will invariably be expensive.
For a properly constrained subCA, operated directly by the actual CA but on behalf of the customer (so, few practical benefits) it incurs some additional paperwork and oversight, plus hardware costs, maybe in the realm of a few thousand dollars per year and up. This might get cheaper some day, but it’ll probably get more expensive first.
If you want it externally operated, suddenly the CA’s auditors are having to travel to your site to verify you’re doing a decent job on physical security etc. and that’ll easily take it into hundreds of thousands of dollars unless you already have suitable facilities (e.g. maybe you are a nuclear weapon manufacturer and already have no-lone zones and armed guards on your staff to ensure physical security)
If you don’t want constraints (ie you aren’t willing to specify up front the names to be signed), it’d cost millions of dollars to do this and will require full disclosure, with annual mandatory audits to satisfy the Browser vendors on behalf of the Relying Parties. You are essentially going into the CA business for yourself.
Historically some businesses operated shoe-string subCAs and cleaning up the resulting mess is one way that Symantec got itself into so much trouble. For every Apple or Google, with good management and clean audits, there were a dozen “big” companies which didn’t have the budget and executive focus to deliver properly, meaning they were never actually compliant and once that was visible to the outside world they were inevitably going to be shut down.
So, a SubCA probably isn’t a realistic option here.