"But outside EV certificates everyone should be using Let's Encrypt certificates. They are trivial to install, secure and renewals can be fully automated. On top of all that they are free. Anyone buying non-EV certificates is neither cost conscious nor values the time of their IT staff."
There are other low-maintenance ways to get certificates, and they don't require you to put all of your trust in one organisation who has no obligations to you.
For all internal uses, we use an internal CA that will automatically renew renewal requests signed by the key of a currently-valid but almost-expiring cert, and an scep client run from cron that will check all certs and enroll for renewals (as well as enroll for the initial cert).
For public certs the certs we renewed before letsencrypt went live are still valid, so for non-security-critical ones we may consider letsencrypt a month or two before those certs expire.