I've been keeping my eye on Let's Encrypt for a while, and it's got to the point where their Windows support is good enough that I can just switch it on without it being too much effort.
So: we're going to be activating HTTPS on all sites over the coming weeks. They do require individual checking because a lot of themes includes HTTP elements which need to be hosted locally for things to show as properly secure. But the good news is that if you previously paid for an certificate you won't have to again. Unless you want a fancy extended validation one of course.