Might just be because you need DNSSec for that technique to be viable (otherwise an attacker could just spoof the DNS response too) and that hasn't been widely available until recently. Offhand it sounds like a pretty good approach now.
Point is, this is what we do now. We do this without DNSSEC. The step of receiving the email is pretty much redundant and is only there because people understand email better than creating a TXT record.
DNSSEC is a terrible ide and should be abandoned for many reasons. So should this method of ___domain validation. You know who knows for sure that you own the ___domain you say you own? The registrar. That is who should issue you your cert, not some third party.
