Disclaimer first: all contents are personal, I'm not affiliated
with Let's Encrypt or ISRG.
I think you could always attempt to get the certificate via DNS validation, which definitely don't need HTTP port 80 access.
I don't think port 80 will be a security hole if you already have other ports open (if you don't have other ports, probably DNS based will be better in your use case if allowed). As many people suggested before, port 80 is a common port and in most cases only serve as a redirection port nowadays.
I think what Let's Encrypt want for not disclosing a list of IP and multi-va are all for avoid much worse security vulnerabilities (spoofing, for example), and Let's Encrypt provides at least another way for you to complete these challenges (through DNS TXT records, which can be used with acme-dns or something else if your company don't allow you to modify current NS/API). I know these can be hard for large corporations and some sensitive business / government, but HTTP based validation isn't your only choice.