Re: "We decided on a global fallback"
Actually, you can have certificates of IP addresses too. Subject alternative names can contain IP addresses as well. Probably no "root" CA will ever release a certificate with an IP especially when you don't own (fully, i.e. like Apple) that IP address. But if you have an internal CA, and control your own internal address space, you can issue certificates with IP as well. I do - for devices for which I need to access even when the DNS system is down.
Moreover usually people access devices by IP because they don't have a working name resolution system - but many devices do allow using HTTPS.