On large projects, as many certificates as needed are simply made.
If we talk about the network within the corporation, it simply creates its own CA and the root certificate is distributed by politicians to all machines, and issue at least a million certificates there.
In general, the restriction consists of two parts - the issuer restriction, look for another CA where there is no such restriction. For example Comodo - the limit is 2000.
Secondly, not all browsers are ready to load multi-kilobyte certificates. If you end up with a certificate that is larger than 16 KB or 64 KB, various levels of problems may arise.

wildcard certificate

• Register an AS or ask the owner to issue a certificate for the IP address.
  
• Use Cloudflare Proxy
  

Somehow this is done on large projects.

Large projects buy the right to be a subCA. Well, that is, of course, they do not receive a CA certificate, but get some opportunity to issue certificates themselves, signing them with the certificate of the CA with which they agreed. This is if you need certificates with recognition. If you don't care about recognition - for example, for mail or for internal needs - then just your CA rises and there is already everything I want - then I turn it around.
Issuing a certificate with a hundred SANs is a sure way to make mistakes - timeouts for downloading certificates are usually hardcoded - I didn’t have time, that’s all, bye-bye.

What is the problem with issuing an individual certificate to clients via letsencrypt?
Indeed, in order to bind your domain to your service, the client will have to specify the ip of your servers in the A-records of the domain, which means that you can issue a certificate for each domain without any problems.
So, for example, it makes github pages where anyone can tie up their domain, and github takes over the release and renewal of the ssl certificate.