How do you figure? Each revocation is by certificate serial number, which typically run 4 to 20 bytes, and the revocation date, with possible extensions for more information.
Add a little overhead for the signature on the list, etc.
Exaggerate wildly and call that 100 bytes per revocation: we're down to at most 100MB of revocation data for the million user case; that's not a lot of data.
It's probably closer to 20 or so bytes per revocation, ~20MB of revocation data. Spread out over as many CDPs as the CA wants to maintain.
The system used in the Canadian federal government creates one CDP per 375 users, so that CDPs are capped at roughly 750 certs each (each user has two key pairs, one for verification, one for encryption). At 20-100 bytes per revocation, that's 15KB to 75KB per CDP.
That's not much at all. And given that any given user interacts with a subset of all possible users, they won't have anywhere near all of the CRLs downloaded.
Because thousands is off by several orders of magnitude.
Real public CAs are going to have to contend with revoking millions of certificates.
Each revocation cert is about 1KiB, so that's 1GiB of revocation data per CA.
That obviously does not scale.