Because at it's core, it's a hardware design flaw, not a software bug.
Also it affected multiple vendors, not one, so coordination across a minimum of 10 major organizations (google, apple, MS, Amazon, Intel, amd, Linux, etc.) breaks the normal assumptions behind project 0.
Given those issues, different rules make sense. It's not a normal case where a single vendor has a flaw that can be fixed with a single patch.