I don't believe the expired SSL certificate changes much about where the vulnerabilities are in your site.
The expired certificate will require users to click through a warning, but the traffic to the same page(s) that were encrypted before will still be encrypted.
The problem is with users not trusting your site and possibly avoiding it until the certificate is renewed.