Authorities can issue certificates for IP addresses. They merely cannot issue certificates for non-public IP addresses.
And: yes, maybe certificates for 127.0.0.1 should be disallowed altogether. But this creates a backwards compatibility issue, and I’m not sure browser vendors are willing to do it.
I see that indeed it is allowed to issue certificates for IP addresses (however not for private addresses). In my opinion this should not be allowed, there is no real justification for issuing them.
I don’t believe in too big to fail theories about certificates for local addresses, they are not allowed and should not be accepted. If your application breaks, you get to keep the pieces. I doubt there is a lot of real use though, apart from misuse as in the article.
South Korea needs to rethink its security ‘solutions’ and the only way to do that is by the software vendors forcing their hand.