Certificates having short lifetimes doesn't have to mean that verification has to happen at the same frequency. And frequent verification doesn't have to mean that dns records need to be updated each time - for example you could have a dns record saying that HTTP-based authentication for the main domain covers all subdomains.
The Ten Blessed Methods (no there currently aren't ten of them, yes I'm going to keep calling them that) do not allow you to just make up rules like "Let's have a DNS record saying it's OK not to verify anything".
Currently methods 3.2.2.4.18 and 3.2.2.4.19 allow you to get a wildcard based on the web site changes, but that's clearly unsafe and is going away from December. Let's Encrypt never allowed it because it would be hypocritical to have people saying "This is unsafe" while also allowing it.
