>There's no way to avoid that AFAICT and even if you're an established business you hit it at intervals because all these certificates expire and so the whole process resets every few years anyway. What a mess.

Maybe have overlapping sets of certificates and dual sign your binaries? That way there's always an "aged" certificate available.