I think people misperceive "security fixes" as a binary thing when it's really a sliding scale. The choice to backport is often not a clearcut decision, and you need to balance the risk of the underlying issue against the potential conflicts with a legacy platform and its dependencies. Otherwise, your security update might cause quite a bit of collateral damage. So, Microsoft is understandably cautious and afaict backports only fixes for major issues.
Of course, that gets complicated when you consider something like Chrome's sandbox, which can depend on system guarantees that Microsoft may consider esoteric or just low-priority. To their credit, Microsoft is responsive when we find these kinds of issues and report them. However, it's not uncommon for the issues to not be considered important enough to backport to legacy OSes (or for the task to just be too arduous). That's why we also tend to focus our work on the most current supported versions, which also offer increasingly better mitigation technologies with each release.
Of course, that gets complicated when you consider something like Chrome's sandbox, which can depend on system guarantees that Microsoft may consider esoteric or just low-priority. To their credit, Microsoft is responsive when we find these kinds of issues and report them. However, it's not uncommon for the issues to not be considered important enough to backport to legacy OSes (or for the task to just be too arduous). That's why we also tend to focus our work on the most current supported versions, which also offer increasingly better mitigation technologies with each release.