Why do we need to list our CAS servers as SANs in Exchange 2010's UCC certificate?
It's by design. Autodiscovery is going on internally and externally, and it happens to default to the internal CAS Server name.
As you already figured out, you need to change all services to use the External URL as Interal URL as well, else your internal clients will receive certificate errors.