Android Browser Showing Security Risk or Connection Not Secured

Android versions < 7.1.1 need Let's Encrypts "long" chain, which includes a signature to the now expired DST Root CA X3, because they do not trust ISRG Root X1.

Let's Encrypt provides this chain by default to all subscribers, but IIS servers build their own chain and will usually build a different chain that equals the "short" chain. The short chain is not compatible with Android < 7.1.1.

More information about Let's Encrypts chains:

More information about the IIS situation: