The real solution is making your shit modifiable by the client.
We do car recalls all the time. Just send out an email or something with instructions of what to put on a USB, it's basically the same thing.
Yes it's inconvenient for consumers and annoying but the alternative is worse. Essentially hard coding certificates was always a bad idea.
2. Product is a smart fridge or whatever, reasonable users might keep it offline for 5+ years.
3. New homeowner connects it to the internet.
4. Security update fails because the security update server's SSL cert isn't signed by a trusted root.