I’m hoping this is something Apple will fix in the future (thus making this blog post obsolete), but in the meantime, if you see the behavior described, there is a workaround:

Problem

/usr/bin/security import /PATH/TO/CERT.p12 -k /Library/Keychains/System.keychain -P ACTUALPASSWORD results in an error of security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?) but dragging the .p12 to the Keychain Access application will actually import the cert when you use the same password.

Workaround

The workaround (which I found in the macsysadmin subreddit) is to go ahead and do that drag-and-drop GUI import of the cert, and then use Keychain Access to re-export as a new .p12 with the same password.

Once you do that re-export, you should be able to use the command-line to /usr/bin/security import the new .p12 cert.