One interesting thing I read recently is that, when building a circuit, Tor actively avoids picking more than one relay sharing a common attack vector.
Basically, it will not pick more than one relay with the same family id, router or /16 subnet.
Your point is still valid, since AWS and other big web hosts like OVH obviously have a lot of /16 subnets and distinct router addresses, but it's good to see this was anticipated by the design.
To be fair, I suspect there is already a similar problem simply due to economics: running a relay costs money, so the vast majority of relays are running in the first world, which correlates well with countries that have extradition treaties with the US, for example.
Basically, it will not pick more than one relay with the same family id, router or /16 subnet.
Your point is still valid, since AWS and other big web hosts like OVH obviously have a lot of /16 subnets and distinct router addresses, but it's good to see this was anticipated by the design.