My problem with the limits is that it encourages key reuse. This has been brought up a couple of times, but I still don't understand the reasoning behind it.
I have hosta.derp.com, hostb.derp.com and hostc.derp.com (Let's assume the limits are set to 2 hosts per domain, to make this simple).
The recommended way of doing this, if I'm not mistaken, is to have one certificate that contains all three hosts, right? Then it doesn't hit the 20 host limit (or 2, in this example).
So I now have a single certificate, with a single key, on all three machines. And because I'm good, I've also enabled https key pinning.
But, uhoh. hostc.derp.com has been compromised. Someone's stolen my certificate and my key! If I wasn't forced to recycle the same key, I would be fine (well, I'd have errors connecting to hostc, because they key has changed).
But, now I have to reissue the cert on all three hosts, and all three are now broken until my pinning expires. (Even if I'd re-generated the certificate three times, with a different key, I'd still have to reissue it because the attacker could impersonate my other two hosts)
This is why I don't understand the logic behind the per-domain rate limiting. @jsha could you possibly expand on the reasoning behind this?