I've always figured it was just unwillingness on people to implement the work required for that to happen. Inertia.
The "wildcard" certs' relevant RFCs are worded such that * . * .example.com isn't valid; one of the relevant RFCs restricts you to only 1 star in the leftmost component, so two stars is invalid.
There's a thing that you can put into a cert called "name constraints" that does have a syntax that allows you to say ".example.com", which allows things such as "foo.bar.example.com". It's valid on CA certs (it's oddly only valid on CA certs), which means that you could get a cert that was a CA cert for just your domain, and all subdomains. It'd be incredibly useful.
But no CA that I know of will issue them. Of the major browsers, only Firefox supports them. The whole Lets Encrypt thing makes it mostly a moot point though, since with Lets Encrypt you'd just obtain a non-CA cert for each specific domain.
(It'd still be useful, I think, to see it implemented, if only for restricting CAs to certain public suffixes, when/if that's appropriate.)
The "wildcard" certs' relevant RFCs are worded such that * . * .example.com isn't valid; one of the relevant RFCs restricts you to only 1 star in the leftmost component, so two stars is invalid.
There's a thing that you can put into a cert called "name constraints" that does have a syntax that allows you to say ".example.com", which allows things such as "foo.bar.example.com". It's valid on CA certs (it's oddly only valid on CA certs), which means that you could get a cert that was a CA cert for just your domain, and all subdomains. It'd be incredibly useful.
But no CA that I know of will issue them. Of the major browsers, only Firefox supports them. The whole Lets Encrypt thing makes it mostly a moot point though, since with Lets Encrypt you'd just obtain a non-CA cert for each specific domain.
(It'd still be useful, I think, to see it implemented, if only for restricting CAs to certain public suffixes, when/if that's appropriate.)