It's a digital form of gentrification. Let's play devil's advocate: ISRG Root X1 is in the process of becoming a single-point of failure..the attack surfaces exposed by TLSv1.3 and its dependencies like OCSP, ASN.1, etc. never stop growing because the complexity of a secure PKIX doesn't either. I'm not against securing the web, but please do it in a way that's inclusive and backwards compatible--even for sites that have gone untouched for decades without breaking. Why not do something simple like an HMAC for each HTTP/2 PDU keyed with material from DNS like DNSSEC record types or stateful RRSet responses when resolving web hosts; a nonce can be transmitted in an IN TXT record. There _must_ be some better way than the current cat & mouse + cloak & dagger circular torrent of neverending cipher suite, encryption mode, library software and protocol version upgrades, attacks, patches, workarounds, et cetera, etc. An archive snapshot of the Heaven's Gate doomsday cult's static HTML site needs nowhere near the cryptographic verification required by an enterprise class e-commerce application with AJAX! In other words, it's publicly known that Jim Jones founded the Peoples Temple, so as long as the served document isn't modified in transit, then it won't matter if the transmission is eavesdropped on (which obviously isn't the case for online banking.) The way things are currently unfolding, ALL sites are going to get thrown under the bus--including ancient web portals with much historical significance to the WWW. Archival sites never save everything and completely innocent pages that adhered to all standards when they were deployed don't deserve to be bulldozed!