Cheap asses
ERR_CERT_AUTHORITY_INVALID
You'll think they can afford at least $500 per domain per year, or go nuts and get the full deal for $2000, or low bid it and get a standard SSL certificate for $200 and extended validation for $300/year or $500 for 25 subdomains.
And if they commit to 3 years then it gets way cheaper.
But it's so common that all those SSL errors get ignored, not just a valid CA, but dated in the future or expired even if it's self-signed.
Plus using PHP and MySQL, depending how lazy their web developers where, I bet there are many SQLinjectable pages in there.
I'm so glad I never worked on the server side of things, but from the client side of things it's unbelievable to see how many holes there are on servers just to save a few dollars.