Unfortunately, managing this email system is one of our largest expenses, especially from an "engineering time and effort" perspective. We constantly wish that we could stop sending renewal reminder emails for a variety of reasons, but they're too useful for us to stop. It's highly unlikely for us to add another automated email without investing in massive email infrastructure improvements first.
I don't fully agree with this conclusion. You're right that a more restrictive CAA record would have prevented the attack. In which case, what purpose would the iodef record serve? Sure, we might notify the domain operator that someone tried to issue for their domain, but we couldn't provide any useful information about the attempt. The attempt could be anywhere between an innocent typo, a minor misconfiguration of your own, or a nation-state actor. When you get an email in your inbox that says "Your CAA records prevented issuance of a cert for your domain" what action will you take with that email?
This is the fundamental issue with iodef records, and why Let's Encrypt hasn't implemented them so far. Either you're savvy enough with CAA to have set records that provide effective protection, and receiving an iodef notification email is unactionable and useless. Or you haven't set up CAA records and you'll never get a notification email at all. There's no situation in which receiving an iodef notification is actually useful and actionable.