When master server shuts down its slaves stop receiving events from it at random
point in terms of replication event count (such as GTID), specifically it's not guaranteed
that all the replication events have been sent to a slave. Therefore such slave can't
be automatically promoted to master.
It must be feasible how to defer critical shutdown operation until after all/some of the currently connected slaves have received the last event from the master binlog. When client connections are closed, so no more data are generated for replication, the fact of sending (even better - receiving) of the last event should release the final phase of shutdown.
Such slow way stopped master is guaranteed to have an up-to-date slave that was fed with the last master binlog event.