@Patrick: There is such a thing, name constraints, but there are problems. It relies on the client to check and while it's better supported now than it used to be, I bet there are some important things that don't use it, so nullifying the constraint. Also it only applies to subjectAlternativeName not the names in CN. While a CA can enforce that SAN is used in certs that it signs directly (indeed this is part of the CA/B forum requirements) that's not the case with a subCA. Similarly some other things enforced by the CA (validity is a big one) could no longer be enforced as a subCA.

Also the requirement to publish ct logs is still there.

Basically there needs to be a lot more trust in somebody to operate a subCA (even restricted by name and path length constraints) than any type of host certificate (whether that's wildcard or for an individual server).