But it's only the extreme warning that alerts the website (usually via a customer complaining) that the cert hasn't been renewed. Having the lesser warning just kicks the can down the road.

The IoT should have updated the certs weeks in advance. If they haven't done it by day 0 then their process is broken and delaying the scary warning to say day +5 won't solve anything.

What might be better is to, in addition to failing hard when the certificate expires, web browsers were to give a 'soft' click-through user warning if the certificate on the site - while still within its validity period - has less than say 7 days to go before expiry.

That's probably long enough for most companies to be alerted to the problem in time and to get their act together to fix the problem.

A warning with a clear clickthrough button would work for alerting - the default TLS warnings are designed to be somewhat hard to bypass to make people think twice.