The best solution I have come across for this is DMVPN deployed on Cisco routers. The beauty with this solution is that you’ll be able to use the basically the same config for DMVPN on all the spokes. The hubs will need to be right sized based on tunnel count and encrypted bandwidth. The spokes can be much smaller routers.
Personally I deployed this for a company with around 325 sites. I used Cisco 4331s for hubs and 4321s for spokes. You could go real cheap on this if you used 1800s and could go without support.
There are more modern ways to do this today, but DMVPN is still much better than managing a ton of IPSec tunnels individually.