We (OpenStateFoundation) scanned 15070 Dutch (.nl) Symantec certificates that are in the Certificate Transparency via crt.sh, which are valid for 45822 different domain names (including wildcard certificates), which of 26971 are below the .nl-tld (and of which 19648 unique names, if www/non-www and * are normalized to the plain domain), which resulted in 3801 that still needing replacement (the scan in the article is based on a CN scan, later I also did a scan based on the valid DNS names in the cert).<p>On average 1 in 5, probably other TLDs have a similar score.