Trusted certificates should be treated as a separate (system) package that can also be upgraded without the whole OS being upgraded. That's how they are treated on most of the Linux distros out there.
Android has opted instead for tightly coupling the certificates to the system itself. That's a very bad design decision that, either intentionally or unintentionally, makes a device useless 4 years after the latest system upgrade.
One more reason for either ditching Google's Android in favour of better supported and less abandonware-prone systems - Lineage is an excellent choice for those who don't want to give up the commodities of Android, but don't want to run the risk of throwing away their $1000 phone 4-5 years after the purchase just because Google decided not to push certificate updates to it anymore.
Android has opted instead for tightly coupling the certificates to the system itself. That's a very bad design decision that, either intentionally or unintentionally, makes a device useless 4 years after the latest system upgrade.
One more reason for either ditching Google's Android in favour of better supported and less abandonware-prone systems - Lineage is an excellent choice for those who don't want to give up the commodities of Android, but don't want to run the risk of throwing away their $1000 phone 4-5 years after the purchase just because Google decided not to push certificate updates to it anymore.