Way back when I was writing SSLeay encrypting proxies so Lynx could use
   them, there was a commercial product called StrongHold. I apologize for
   my insufficient memory.
   However much of the problem with forcing browsers to update might be
   solved with an encryption proxy (on a raspi if needed).
   For those who are too young to remember, during the "crypto is
   munitions" period where the source to strong crypto needed to be sent
   via FAX, Stronghold was a proxy that would take ordinary sessions (or I
   assume 40 bit - yes, 40 bit, that was "export" strength) crypto on the
   browser end and transform it to the maximum strength on the remote end.
   IE apparently has some problems with PFS.
   One way to maybe fix this is to create an encrypting proxy that would
   do full strength, PFS encryption and remove the other weaknesses, and
   run on the local machine or LAN (if that isn't secure there are bigger
   problems). And it would refuse or at least complain if the strength
   wasn't up to snuff, and could itself add things like cert/CA validation
   management - trust on first time and the rest as options.
   If I had a box (DD-WRT?) that would warn me if something was amiss, I
   would be in a better position.