I think they're just going for a minimum viable product, and I'm sure it's on the roadmap. :-)

Well, Let's Encrypt models is based on automated confirmation of domain ownership (or to be more accurate, control rather than ownership). Automated software proves that the entity who is asking for a cert for a.example.com really does have control over a.example.com, because they were able to make a change on the host that a.example.com refers to. And based on this, issues the cert to the entity.

This level of proof of control is standard for DV certs, although other providers haven't automated it to the extent Let's Encrypt has, at least not with as high-quality software. One hole in this verification of course, is that 'control' may not actually be 'ownership', it could be someone who's hacked the host or DNS. But that's not unique to Let's Encrypt, it's a side issue, proof of control is standard and accepted for verification for DV certs.

So anyway, that kind of automated proof of control is a lot harder to apply to all of *.example.com, not just an individual host a.example.com. There are likely ways to do it well, but it's harder to do and harder to get right. Is probably why Let's Encrypt, at least for now, is not doing it.