I think the discussion should not go into reasoning about how frequent the hijacks are (see bitcoin story). There is no assurance in any certain moment that some traffic is not terminated in wrong hands (unless that traffic is signed with trusted keys). Therefore everyone should accept that TCP/IP connection to an IP is generally not a secure way to check validity of certificate request on it’s own.
Which begs another question… Why there is no ways to either:
- disallow issuance of letsencrypt certificate completely or without secondary verification;
- specify additional verification information that hijacker could not control (existing certificate signature or DNS record)
IMO two methods combined might create additional level of defense.