A good portion of LibreSSL's patches are in the form of removing code for dead platforms like VAX/VMS and OS/2, problematic wrappers like openssl_malloc() or patching the everything-on-by-default approach that OpenSSL takes. The OpenSSL team actively refuses any such patches, which is why LibreSSL was forked in the first place.
Do LibreSSL and OpenSSL have the same goals? Do they both want to support the same features/hardware/etc.? If LibreSSL remove something because it's not needed for what LibreSSL wants to support, but OpenSSL does want to support it, then what should happen? Should it be removed? Or not?
And they could have found the security bugs and report them to OpenSSL even after they forked. If they actually did some serious security investigations of the code they took and kept in their fork, it should be natural to discover such issues and not just wait for others to find them in OpenSSL.
While I generally agree that this should be done, I'd also like to point out that many (most?) security fixes in LibreSSL are really "side effects" from trowing away lots of code, or cleaning it up.
That's my impression too, that they threw away a lot and replaced a few functions with the "good-practice in OpenSSL" ones, but otherwise haven't changed too much, so the code base can be easier to maintain but is not necessary "the" solution some believe it is.