Hello! I always found it amusing that the example.com cert is Organization-Validated, so one can be sure that it's the real example site, run by the IANA.
I'm not sure what "new infrastructure" you mean specifically, but in general I wouldn't expect new infrastructure to require also changing CAs. You should be able to automate getting certificates from Digicert using Certbot, as well as other CAs like Let's Encrypt.
I'm guessing that they currently block the names not out of some sort of feeling that the RFCs require it, but just because otherwise they'd be handling a lot of requests to validate that will end up failing. Or maybe just because it's a high-profile domain, and they like making sure that the organization actually wants to use their services first. I have this post bookmarked for officially requesting allowing a high-profile domain to be enabled for Let's Encrypt, though it's a few years old so maybe a staff member will hop on with more specific instruction for your case.