Interesting. IdenTrust, who cross-signs Let's Encrypt, has been in the root CA lists for a long time. (Mozilla merged this particular root certificate, DST Root X3, in 2008, as a replacement for existing expiring IdenTrust roots.)
The problem seems to be Java/Oracle's root store, where IdenTrust is not included. Let's Encrypt has stated that they have applied to Oracle's root program with their own root certificate, so hopefully this will eventually be solved in a future Java version.
Hopefully. I'm willing to give Apple the benefit of the doubt here that this was unintended oversight. Practically speaking, iTunes should use exactly the same SSL infrastructure as Safari.