I would like to propose adding functionality to make possible to add Address Lists (from /ip/firewall/address-list/) to IPsec Policies in both Source Addresses and Destination Addresses.
This will make it much easier to route traffic via IPsec on a larger scale.
The protocol specification mandates that it would have to create a lot of SAs and associated traffic selectors based on the address lists, which wouldn’t be manageable for the protocol. It would be much better to implement VTI like all major vendors did over time. But Mikrotik stays strictly compliant to the original IPsec approach, which specifies not only the communication protocol but also the security concept. If you are a significant customer, talk to them. If you are a hobby user, give up.
Progress is moving forward. As you can see, the original IPsec assumptions are no longer sufficient. And you are absolutely right - VTI would have solved this problem as well as many others with IPsec. Which is why other vendors implemented this solution long ago. But Mikrotik… well… I can only quote the following meme here 