To be 100% clear on that, the "not client authentication" means they can't replace client passwords for logins, nor can they be used to directly encrypt/sign emails on a client. But they can be used for securing the client<>server part of IMAP and POP3.
You don't really need a third-party certificate authority for issuing client certificates anyway; you can create your own certificate authority for this purpose using openssl, which also then allows you to easily automate the process of issuing certificates for new users, all you have to do is bundle your root and intermediate certificates (not keys) along with the user's certificate and key and have them install the whole lot together.
There's not much more a third party certificate can do that that kind of setup won't, as a user having a client certificate is how you validate who they are. That said I personally don't like swapping password for client certificates, I prefer to use both together for the added security, but there are other options such as certificate + multi factor authentication.
Anyway, that's a bit of an aside; I'm using Let's Encrypt for my domains, though I'm currently having to issue some individual certificates for sub-domains due to the way that they're created, which I'll have to try to sort out at some point. It's possible other users are doing the same, and it's unclear if that 1 million metric includes renewals, since the recommendation for Let's Encrypt is to renew every month (well short of the 90 day expiration time).
Facebook
Twitter
Instagram