Imagine how hard it would have been to untangle cross-site security if he had followed that scheme. As it is, we already have to have arbitrary restrictions on where in the domain hierarchy you can root things like cookies (e.g. if you're on www.example.com you can set cookies on example.com, but if you're on example.co.uk you can't set them on co.uk)
