This is the first suggestion that actually seems workable. It is not entirely free of costs though:
- Who will review changes to that branch?
- How do you clearly signal that people really shouldn't be using this branch unless they actually need a certified compiler for compliance reasons? I.e. we don't want Debian, REHL, Ubuntu LTS etc shipping old compilers to the general public who don't need this and would be better served by the latest stable.
EDIT: Another point that someone made is that of Let's Encrypt before: make it easy to automate and stay up-to-date. Rather than making it easy to update manually very rarely.