My company's very relaxed IT department* doesn't understand the importance of certificates, and our VPN host site does not have a valid one. Given that we access the VPN by IP address, how serious a risk does the invalid certificate pose?

*(I'm aware that "relaxed" might not be the most appropriate adjective here. )