Writing a pre-flight script to check the domains on all the certs first is pretty simple. A few weeks ago, a LetsEncrypt staff member posted a quick script used to check TLDs for CAA records. It should be a good starting point to write something that can analyze your certs.
I get that DevOps stuff and housekeeping can get pushed back, but your Product/Tech leads should be prioritizing this in your next sprint. I am not speaking as a community member here, but someone who was formerly c-level of your target customer demographic and currently advises companies who are in your target demographic. You are in a hole of technical debt and should be digging yourself out of it, not deeper into it.