As far as I understand, and although this can be done with OpenVPN but not via Zentyal GUI, mixing authentication mechanisms, and furthermore, stacking it (that would be to relies on certificate plus password) is not feasible.
There is no real drawback with certificate based authentication "only" except the administration overhead when it comes to renew it or create a new one when certificate get compromised.
As you rightly point it, user password is at certificate level and valid certificate will always allow authentication
Hopefully, there is a CRL mechanism