This is incredibly insecure and only slightly better than just not using TLS in the first place. Any party can just insert their own root certificate into that HTTP stream, which then gets automatically trusted. You could just as well disable TLS authentication altogether.
Unfortunately, that's the way that it is. Fortunately, most of these are slightly older models, I don't see this as much anymore with some of the newer ones.
If you really need to download roots via HTTP(S), the best way to go would be to use a HTTPS server that uses a certificate signed by a root that's pre-installed on the device. The device should have been bootstrapped with something useful (ideally, a company's internal root certificate) that could be used for this purpose.
Only commercial certificates would likely be trusted for that, so that would be an additional expense. An internal cert wouldn't be trusted either because again, it would need to be loaded from somewhere.
It's also worrying that you seem to be looking for DST Root CA X3 which expired in 2021 and is soon going to be fully decomissioned. Any device should have loaded ISRG Root X1 years ago and no validation should be done against DST Root CA X3.
Well, that's a fair point, we've definitely had this unchanged for a while.
I don't see the actual certificate linked in either post though. I took a look here: Chain of Trust - Let's Encrypt
However, I'm having difficulty finding a link that matches the same format as above, i.e. with just the certificate, do you know which one would be the right replacement?
I don't mean to impolite, I understand that you're just looking for a simple solution to a problem. I'm just shocked about the security state presented here: I was aware that embedded devices had bad security, but it's really that horrible?
Unfortunately, yes, particularly for older ones. Ideally, it wouldn't be like this, but we have to support a wide variety of equipment and some models out there do have this stipulation. I'm definitely not a fan of it either, it would be nice if it "just worked".