So, I'm not sure how to apply this information to help you, but I can tell you more about what it actually means. 
Let's Encrypt checks DNS from many places around the world, in order to help make sure that the requestor is actually someone who controls the domain name and not someone who can just redirect packets in one particular corner of the Internet. (See this FAQ on multi-perspective validation for more detail than you probably need.) The "During secondary validation" message means that the primary validation (from Let's Encrypt's main datacenter) succeeded, but at least two (I think, maybe just at least one) of the secondary validation sites (from various "cloud" region datacenters) got an error validating.
You may be seeing issues with CAA more often than others because the CA needs to check CAA at the time of issuing the certificate (unless it's been checked within the past 8 hours for that name already), even if it had been checked and approved earlier. It also is more of a "stress test", since it has to check each segment from the full domain name down to the root, and while having no CAA record is fine it needs to get a correct "no records, no error" response for each of the names.