The author is claiming that a sufficiently capable attacker can MITM the ACME protocol used to automatically renew certificates (and thus get a valid certificate issued for the victim domain with the attacker's private key). This is probably true as far as it goes, but certificate transparency logs make such attacks easy to detect, and browsers will not accept certificates that are not in the logs. Web sites that do not monitor CT logs probably are vulnerable to well resourced attacks of this kind, but I don't think there is a huge plague of them, maybe because attackers with the ability to MITM DNS requests for LE don't want to burn that capability on such easily detected attacks.
Also, if the CA runs the ACME check from five different validation servers that aren't all on the same continent, which Let's Encrypt does and all other CAs will be required to do in a couple years, then it is dramatically harder to simultaneously MITM them all. And if you really want to, you can use DNS-01 with DNSSEC, which means an attacker would have to be able to compromise DNSSEC on top of everything else.
