Though it goes without saying, these comments reflect my own experience and opinions, not those of NamePros.
DV certificates make no assertion about identity or intentions of the entity in control of a website. It was just as trivial for attackers to get DV certificates prior to Let's Encrypt. LE wasn't the first to provide free DV certificates, and they won't be the last.
DV certificates offer encryption and authentication of the domain--hence the name "domain validation" (DV). They do not authenticate the entity controlling the domain. It's vital that all websites be able to easily obtain and implement at least DV certificates.
Let's Encrypt has a stellar record, and this occurrence is a testament to that. Other notable CAs that often charge quite a bit for their certificates
have gotten in big trouble because they made
far more serious mistakes and
refused to respond appropriately.
Edit: Keep in mind that Let's Encrypt is a strong proponent of certificate transparency. That is a far more effective mitigation for abuse than a small annual fee that someone can pay with a stolen credit card.
OV certificates make very little difference. You may be thinking of EV, but even then the efficacy is dubious at best.