I agree that the CP and CPS are not consistent in their treatment of this scenario. I believe the reality is that Let's Encrypt doesn't do any of these things under section 3.3 (rekey, renew, update) for end entity (DV SSL) certificates going out to users, it basically just always ends up under section 3.2 identity to issue a certificate via ACME even though we talk here about "renewing" certificates, as far as these policy documents are concerned those are still new issuances.
However, the CA also issues a far smaller number of certificates, not via ACME, for administrative purposes. While there are few of them, the rules for them end up much more complicated and take up a lot of these documents. The auditors must inspect these too of course. So renewal in the CP / CPS sense might happen for those. Maybe @jsha can explain all the stuff I inevitably got wrong above.