The Baseline Requirements set the current minimum accepted policies for the industry. The BRs have evolved over time, and allow many behaviors due to the necessity of certain legacy elements – or by accident. Many of the things that are allowed in one section of the BRs somewhat contradict other sections of the BR. Additionally, many CAs are Browser Vendors do not believe these policies are secure enough, so decide to implement higher standards and advocate within the CA/B forum for the industry to adopt their more secure policies as the new standards.
IIRC, and I may be wrong on this one factor when ISRG/LetsEncrypt decided they would only cache authorizations for 30 days is because that number is in-line with the BR's required expiry of an ACME token validity. While the BRs state a valid authorization can be reused for a period longer than 30 days, they also state an unvalidated authorization token can only be used for a period of 30 days. (Stated differently- you only have 30 days to validate the ACME token, but once you do the authorization is now good for a much longer period) The concepts are closely related and slightly contradict one another. Discrepancies like this are common with RFCs and standards, and they become more consistent over time.
So while the CA/B Forum allows for certain behaviors, it does not mean those behaviors are necessarily secure enough. LetsEncrypt - and most other CAs - believe many of these policies to be inadequate and choose to implement stricter requirements.
When it comes to some of the security models, a few thigs:
First, I'll link to my comment a few years ago here in a topic concerning OCSP stapling - What is the relationship between the revoking list and OCSP Stapling? - #36 by jvanasco - however the whole thread is worth reading. This should explain a bit why LetsEncrypt (and the industry) are moving towards shorter certificates and abandoning OCSP stapling. The design of the OCSP ecosystem and BRs create a situation where a certificate can appear to be valid for 10 days after being revoked.
Second, the link that Aaron Gable shared above regarding CA assisted validation contains links to a Doc and Presentation on threat modeling for that design. I'll directly link to them here:
While these don't go into the concepts of time-based reuse, they do detail the concerns and threats to the original authorization - and that should help you understand why the industry is moving towards shorter validities and reuse times.
In a nutshell: the current BRs and ecosystem are somewhat insecure in many ways, but they can't be fixed overnight because too many things would break - so we are slowly moving towards a more secure system.