But why would they do that, when they also have access to the certificate private key, which is valid for just about as long (or even longer now) and which doesn't carry the risk of being detected via Certificate Transparency (since the certificate in question was already logged and is - presumably - authorized by the domain owner)?
I do agree that it makes sense to use a relatively low value for the authorization lifetime, but I don't think this is really A Big Deal. Here's some other things an attacker could do (with a typical web server configuration) if they're in a position to obtain the account key:
- Steal the certificate private key and use that for MitM attacks to avoid any kind of detection via CT
- Pass a new domain validation challenge and request a new certificate from Let's Encrypt
- Obtain a certificate from any other publicly-trusted CA, with certificate lifetimes up to 39 months, and authorization lifetimes up to 39 months as well (which means they could theoretically get valid certificates for your domain for up to 78 months!)
With that in mind, allowing authorizations to be reused for short periods does not add any significant risk, in my opinion.