Not sure what you researched (providing a link is always helpful), but shim never updated the standard Secure Boot variables. It only ever supported managing its own custom variables (like MokList) and never did it automatically - any change required user confirmation.
KEK must be signed by PK and PK is normally owned by the system's vendor (e.g. on my Lenovo it comes from Lenovo). Which means that only system (hardware) vendor can provide binary payload for KEK update. The LVFS database does provide KEK updates signed by various vendors but AFAIU they are supported starting with fwupdmgr version 2.0.10. So, my Ubuntu 24.04 installation does not show or offer these updates. Normally, they are distributed by vendors as part of BIOS/System firmware updates.
db must be signed by either PK or KEK. As long as you have Microsoft KEK you can install db updates which too are available via fwupdmgr. Again, you need the recent enough version. None of my Ubuntu 24.04/22.04 installations (physical or VM) offers these updates. The 25.10 VM successfully installed updated Microsoft CA.
Devices that have been updated successfully:
* UEFI CA (2011 -> 2023)
* UEFI dbx (20230501 -> 20250902)
Again, they are normally distributed as part of BIOS updates.
So, if your system is still supported by your vendor you should check for BIOS updates which will likely contain updated certificates. If your system is too old, you can still install updated db provided by Microsoft. These files are signed by the current KEK. The same site also offers KEK updates signed by various vendors. The problem is, if your system is no more supported it may also have too old PK for which no updates exist. Updating using files from this site is not difficult but requires some experience, so consider simply booting live Ubuntu 25.10 and using fwupdmgr to update UEFI db.
Finally, you may be interested in this blog from Mathew Garrett which talks in depth about impact of Microsoft certificates expiration. It may be less scary than you think :)