Do you have a reasonably comprehensive view of which hosting providers and software platforms your company's domain names use? The TLS-SNI vulnerability is a risk only if you have domains whose A records point to a hosting provider that allows third parties to upload arbitrary certificates for domains they do not control. It sounds like you have a relatively tightly controlled infrastructure, so I'm guessing that may not be the case for your domains?
In terms of time to switch off the TLS-SNI whitelist: We've taken a few months, because we wanted to standardize the replacement TLS-ALPN validation method. We've recently released that method on our staging servers and should be turning it on in production soon, after which we can start switching off the "major integration" part of the whitelist. The "renewal whitelist" will remain in place several months longer to minimize disruption of unattended renewals, but will also be phased out.