cPanel's way of wanting to manage everything gets to become a nuisance at some point. Sure it's great for any average Joe that wants to be a web hosting provider without any server management experience. But less great for individuals that might know how to mange a server.
I've been including a static SSL virtualhost at the top of the Apache configuration files for years. Sure it still gives a hostname/common name mismatch if some random user tries to visit their site by adding https to their URL, but it doesn't give some random website either.
Further from all of this - and this is the key point - who thinks that just adding https to their URL will automatically bring up a secure version of their site? That's just where all of this went awry. If you want your VirtualHost to be secure, then explicitly request a secure certificate (whether that be a free DV certificate, a paid DV certificate, a paid EV certificate, or a free self-signed certificate). And now Google is wanting to stick their hand in the cookie jar and just automatically assume every site should have an HTTPS version.
If the idea is make everything, absolutely every website secure, then what's the point of HTTP? Why not invest into some type of STARTTLS alternative for HTTP? Why require every website to have their own certificate? (Other than an EV certificate or OV certificate where there needs to be a trust that the website that is selling you something is actually a real certificate business). Or why vilify self-signed certificate, which offer secure connections (again, not to be used with websites selling something). If average Joe is just concerned with protecting his WordPress login page from outside packet sniffers, a self-signed certificate would likely offer just as much protection.
This move to force every website to get their own secure certificate was short-sighted at best. Was any thought ever put into adding an encryption layer into native HTTP? SSL for websites is meant to provide two things - encrypting data as it passes back and forth and a level of trust that the visitor of the website is a real business. DV and self-signed certificates provide no such trust, just encryption. If that is all you needing, if that's what this push is for, why not look into baking all of that into HTTP?