Re: "We decided on a global fallback"
As an example, older APC power distribution units like the AP7921 have a web interface that can only do up to SSL3.0. So my only choice is to either leave them http only, or keep an old copy of IE around to access them. Because yes, I have almost locked myself out of them before by enabling HTTPS. Ours are on a separate management network though, so we can leave them on http only without worrying too much.
(Here's the list of ciphers it supports, read it and weep: DES [56 bit], RC4_MD5 [128 bit], RC4_SHA [128 bit], 3DES [168 bit])