One of the main reasons for this policy is that Let's Encrypt wants to enable and encourage automation in certificate renewal. If you whitelist specific IP addresses that are used now, you won't have a solution that works automatically when Let's Encrypt changes those addresses in the future. Let's Encrypt does not want to receive pressure from subscribers not to change validation IP addresses because of people having hard-coded old ones in their firewalls.
Secondarily—and I don't know where Let's Encrypt is going with this right now—there is an idea that validation from many different parts of the Internet will help make it harder for attackers to manipulate Internet routing (or DNS) in order to get certificates that they shouldn't be entitled to. This may in principle also involve changing the validation addresses much more frequently or unpredictably in some way, in order to prevent attackers from being able to target particular capabilities that they can be sure would get them a predictable certificate misissuance ability. (Again, I don't know Let's Encrypt's current thinking on this topic, only some discussions from a few years ago.)
If you think letting the general public connect to port 80 of your services is risky, you could try
- only letting the general public connect at moments when you're issuing or renewing a certificate
- limiting the general public's access to requesting
/.well-known/acme-challengeand nothing else - using one of the other challenge methods to prove your control over the domain, including with a CNAME as @rmbolger mentions (so that you don't even need programmatic access to the same DNS zone where your other DNS records are located!)