Interesting points… But the whole Symantec thing is exactly why I approach this like I do… Maybe a point of clarification is in order. I own a web design and development company. When I bought it and realized every single clients site had a Let’s Encrypt cert, I knew I had a problem. I purposefully obtain SSL certs from various CAs as we deploy client sites, precisely to protect my customers from an event like Symantec having to reissue millions of certificates.
You are right that the risk applies to for profit CAs just as for not-for-profit. My argument is the profit motive is a feature, not a bug, and having multiple for profit CAs competing with each other is a net subtraction to the threat surface, where having people pile into a non-profit CA offering free certs is a net addition to the threat surface.
Lastly on the three months vice two years… It is because the certs expire in three months that hosts have created automated renewals… Again, I do not think “fire and forget” is a particularly good idea when it comes to cyber security.