Well, you would only need to compromise a dns zone once and sneak in your DNS record. If the actual owner of the domain/zone does not carefully watch their records and if they use a different verification method for their certificates, then you'll have a continously operating backdoor. Maybe this is somewhat fabricated, but if you require a fresh challenge everytime, then that means the attacker has to maintain a compromised channel to the dns zone, which one could argue raises the bar significantly.

A bit far-fetched, but sure. You could require that the certificate put into the DNS record also had, say, today’s date on it (UTC). This way, you’d fix the problem you describe but still have a vastly simpler process than ACME.