Scenario 1: If you are using a self-signed certificate on an internal website, you are still using encryption. The biggest security issue (that I am aware of) is the fact that your browser won't recognize the cert as trusted, and when you tell your browser to trust it, most people won't verify that the certificate you are trusting is actually the certificate on the web server, and not a man-in-the-middle system that replaced your certificate with their own. So the security issue here is clear.
Scenario 2: With a valid X509 certificate from an actual, globally-trusted CA, when the certificate expires, if you choose to bypass your browser's warning and use the website to login, what is the security issue? You're still using encryption. The private key is still secure on the web server. If a man-in-the-middle system tries to replace the certificate, you'll presumably get a browser warning about the certificate being invalid, rather than a warning about it being expired.
PS. There's an entire article about the Dangers of SSL Certificate Expiration, but all it does is mention the business downsides (not technical downsides) that only apply to public websites (not internal websites), and mention a generic statement like "Personal information at risk from man-in-the-middle attacks" with zero explanation for why they think that is the case. I'm not sure they even know. I feel like most websites on the internet do this for a complex topic like this - they say a generic statement that they assume is true, but don't know why.
A certificate has a life time to simplify certificate revocation. Once the certificate is expired it is considered invalid, which means no revocation information for this certificate need to be kept by the CA and provided on request by the client (i.e. revocation checks with CRL, OCSP, ...).
Thus, if an expired certificate gets compromised (private key known to the attacker) the certificate owner can not revoke it, since it is invalid already anyway. This means a man in the middle can impersonate the original server with the original certificate and stolen private key and the client has no way to detect this by checking revocation.