Because the CORS spec says so:
http://www.w3.org/TR/cors/#resource-requests 6.1.3
Have you tried replicating using CORS from two different hosts using credentials with the * setting? If that works that is a bug in CouchDB and we should fix it. Note that CouchDB will allow you to configure things as you describe, but you shouldn’t be able to replicate with credentials across hosts then.