The better tooling and automation already exists, it's really all over but the shouting. The pain comes from supporting vendor equipment that's already on its way to the dustbin. Vendors that fired their entire engineering group half a decade ago and have no way to respond, but the equipment will still be in production for another 20 years.

There are many solutions (reverse proxies, private CAs, literally hiring a guy to manually update certs on each bit of equipment every 35 days), some of them are painful, but it's not worth handicapping the security of the entire public web for them.