It’s worth noticing for a moment that Let’s Encrypt specifically only issues certificates for (what is often known as) the web PKI. A lot of the statistics we’re talking about are either specifically limited to the web PKI or in practice have very little visibility beyond that.
By the web PKI what I mean is the public key infrastructure that grew up as a result of SSL (and then TLS) on the public Internet, roughly the stuff that’s covered by the Baseline Requirements of the CA/B forum. Most obviously that includes https://google.com/ but at the edges it touches on an IMAP server doing STARTTLS or an internal-only test server knocked up with a few lines of Python and granted a certificate using ACME DNS validation even though the actual server has no Internet access.
Certificate Transparency only applies to the web PKI (in fact you can’t even submit certificates that don’t seem to chain back to what Google considers root CAs for the web PKI), web surveys like w3tech only look at the (presumably large) fraction of the web PKI that’s actually on the public world wide web, and “browser market share” estimates often only actually ask the CAs about their SSL business and may specifically exclude certificates they’re selling outside the web PKI.
It looks reasonable to believe, though it’s hard to be entirely certain, that Let’s Encrypt are among the top five CAs in terms of the web PKI and ranking based on volume of current valid certificates or names certified.
But there are a LOT of other certificates out there, beyond the web PKI
Firstly: Private CAs operating in parallel with the web PKI, many commercial CAs operate one or more entirely parallel CA roots such as Entrust’s L1R, not included in popular trust stores and used largely for internal systems at corporations where all company computers can be compelled to trust the special private root key. Since they’re not publicly trusted they don’t need to obey the BRs, which means they can have streamlined request processes (e.g. just sign in your password, and we’ll issue any certificate you want) permit obsolete crypto algorithms (still want MD5 in 2016? No problem) ignore name rules (Machine named exchange.corp ? Sure, seems fine) and so on. A lot of practices that were outlawed for the web PKI due to their risk continue in private.
Many commercial CAs also offer certificates for S/MIME. Never as generally popular as email itself, S/MIME lives on in some applications and because certificates are issued to individual users / email addresses it’s not at all unreasonable to imagine that tens of millions or even more of these certificates might be issued each year from CAs.
And then there are less common Internet-related certificate types such as IPsec certificates, VPN certificates, and certificates for 802.1x (often on WiFi) authentication.
Beyond that you’ve got certificates for code signing and signing virtual contracts, and certificates baked into physical devices such as payment terminals. iPhones, Microsoft domain servers, lots of things have certificates. Some of them, perhaps more than you’d think, end up being issued by the major commercial CAs, even just because they know how to fill out the forms correctly.
If you only care about the web PKI (and probably lots of people do) that makes Let’s Encrypt very important. But in other contexts they’re irrelevant, and it is worth being a bit humble about that.