This is all automatable and is well documented for almost every setup. If you're on a cloud provider/CDN it's even easier as they'll handle all this for you at pretty much no cost.

You can also still use your own threat model. You can use self-signed certs, import your own CA, etc. The issue is that browsers need to service the mass market, including the figurative grandma who won't otherwise understand fake bank certificates.

As for email, yes...that is a complete shitshow and I'm still surprised it works as well as it does.