TLS itself doesn't care about certificates. It provides messages to send and receive them, but their interpretation isn't a matter for TLS. If you want to send photos of, say an actual paper certificate you have or a particularly adorable cat, those messages would work fine but other people's software may not interoperate with yours.
The IETF's PKIX defines how X.509 certificates work for the Internet, because understandably X.509 is for the X.500 system and the Internet is not the X.500 system. PKIX defines the Subject Alternative Name (SAN) which allows the Internet's names (DNS names and IP addresses) to be subjects of X.509 certificates rather than needing the non-existent X.500 directory system for names.
I think you're mostly talking about the Web PKI. But the Web PKI was never "modelled" to work how you've described. At its outset, Netscape (who invented SSL and thus set this ball rolling) wanted pre-existing neutral services rather than they'd run everything and then obviously rival web browsers (including Microsoft's Internet Explorer) would have their own and it's pointless. Several important Certificate Authorities already existed at that time, issuing X.509 certificates in the X.500 system largely to banks, and were happy to take $$$ to issue certificates for this SSL experiment. Initially Netscape basically accepted any company that said they were in this business, and there were no rules (other than those the companies themselves decided on).
But in the modern era the Web PKI is in practice publicly overseen by m.d.s.policy, a policy discussion group of Mozilla. The lack of Name Constraints isn't because of some weird conspiracy, it's simply that Apple didn't support them for many years so if you used Name Constraints then now none of your certificates work on Safari or other Apple products (if Constraints are to work at all they must be marked Mandatory, and if you don't implement a Mandatory feature, you can't be sure if this certificate is valid, so you can't trust it).
For oversight to be effective the sort of delegation you envision is impossible, and accordingly where anything like it did exist the subCAs have moved back to being under physical control of the root CAs. In fact the big problem we had with Symtantec comes down to the lack of effective physical control, with CrossCert able to cause issuance from Symantec's systems yet having no effective oversight.
Also your timeline is badly off in thinking about the IP block allocations. CIDR happened in like 1993, Netscape's SSL doesn't happen until at least 1996. The companies that were issued class A IP blocks before CIDR are mostly smaller and few still exist in the same form, Apple, Comcast and AT&T maybe make sense, but Ford and Prudential Financial not so much. Microsoft are not on that list.
The IETF's PKIX defines how X.509 certificates work for the Internet, because understandably X.509 is for the X.500 system and the Internet is not the X.500 system. PKIX defines the Subject Alternative Name (SAN) which allows the Internet's names (DNS names and IP addresses) to be subjects of X.509 certificates rather than needing the non-existent X.500 directory system for names.
I think you're mostly talking about the Web PKI. But the Web PKI was never "modelled" to work how you've described. At its outset, Netscape (who invented SSL and thus set this ball rolling) wanted pre-existing neutral services rather than they'd run everything and then obviously rival web browsers (including Microsoft's Internet Explorer) would have their own and it's pointless. Several important Certificate Authorities already existed at that time, issuing X.509 certificates in the X.500 system largely to banks, and were happy to take $$$ to issue certificates for this SSL experiment. Initially Netscape basically accepted any company that said they were in this business, and there were no rules (other than those the companies themselves decided on).
But in the modern era the Web PKI is in practice publicly overseen by m.d.s.policy, a policy discussion group of Mozilla. The lack of Name Constraints isn't because of some weird conspiracy, it's simply that Apple didn't support them for many years so if you used Name Constraints then now none of your certificates work on Safari or other Apple products (if Constraints are to work at all they must be marked Mandatory, and if you don't implement a Mandatory feature, you can't be sure if this certificate is valid, so you can't trust it).
For oversight to be effective the sort of delegation you envision is impossible, and accordingly where anything like it did exist the subCAs have moved back to being under physical control of the root CAs. In fact the big problem we had with Symtantec comes down to the lack of effective physical control, with CrossCert able to cause issuance from Symantec's systems yet having no effective oversight.
Also your timeline is badly off in thinking about the IP block allocations. CIDR happened in like 1993, Netscape's SSL doesn't happen until at least 1996. The companies that were issued class A IP blocks before CIDR are mostly smaller and few still exist in the same form, Apple, Comcast and AT&T maybe make sense, but Ford and Prudential Financial not so much. Microsoft are not on that list.