Yep, @cpu’s got the gist of it. We’d want to do a little more formal investigation of the current client compatibility issues before we made “No CN + critical SANs” an option. That said, I don’t think it’s entirely out of the realm of possibility. Last time I looked, Chrome on Mac was the big blocker. That was a big enough client population to rule out that option at the time. However, I think that has since been fixed, either at the Chrome level or the macOS level. It might be worthwhile to spend some time testing various platforms.
Fortunately, testing compatibility is pretty easy: Just visit https://no-common-name.badssl.com/ on any given platform. If you don’t get a certificate error, that platform handles the “No CN” case properly. If someone wanted to start a new thread for compatibility testing of No CN, that would be really useful!