So there is a more general standard which the ACME protocol automates. Or perhaps another way to put it is that, the standard is written in a way that "just happens" to be nicely automatable.

Yes this is why multi-perspective is described as a "mitigation" above. Ideally, ACME issuers have a large array of perspectives with additional perspectives added frequently to foil planned attacks. But real BGP security is the actual solution to this problem.

Not exactly. There's a document, the Baseline Requirements or BRs: https://cabforum.org/working-groups/server/baseline-requirem...

This document is essentially an agreement between the Trust Stores (largely the browser vendors such as Microsoft, Google, Apple, and Mozilla) on behalf of their Relying Parties (everybody) and the Certificate Authorities they choose to trust. It lays out the requirements on what the CAs may do and how they may do it, the numbers I quoted were sub-section numbers for what are sometimes called the "Blessed Methods" which these days are listed in those requirements - for how a CA shall check that say a certificate for news.ycombinator.com can be issued to this web server we're both using.

This isn't a "standard" really, any more than you'd say the Geneva Conventions were standards. It specifies (that "- ACME" is from the document, it's not my addition) that you can use some ACME protocol features to achieve the name confirming requirement but it also specifies some ways to do so manually. Last month quite a few of the older methods were finally stopped for new issuance (though existing confirmations for those methods will keep working for a few years if you have them). Stuff like "Find the landline phone number for the company in a government directory and call them" which I'm not sure really still made sense when the BRs were first agreed, let alone last month when it was finally removed.