We wanted to switch long time ago to Let's Encrypt, unfortunately it isn't that simple when you have 10ths of domains and subdomains, distributed among 5-10 servers.
startcom and wosign (startcom is now owned by wosign) certificates signed after a certain date are not trusted by some browsers by default due to the back-dating issue last year.
Because of the same trust issues some organisations have their OS and browser installations configured to not trust any certificate signed by startcom or wosign (or a certificate that chains to one of theirs).
