Because CentOS was once an independent project and Redhat promissed to keep Centos 8 alive till 2029.
Security patches are not backports, they are security patches that obviously should be for free, Redhat is making loads of money off free software already.
Something like RHEL 6 is running on a 2.6 Linux kernel, all security patches has to be backported. That is an EOL kernel. Almost all versions of the software bundled with RHEL 6 have been EOL from upstream providers during it's ten year lifetime. Of cause you're free to try to attempt to applied any patches yourself, you don't have to pay.
If RedHat promised to keep CentOS 8 around for 9 more years, then yes, that is very disappointing. It was a stupid promise to make in the first place, but still disappointing.
Security patches are not backports, they are security patches that obviously should be for free, Redhat is making loads of money off free software already.