The additional Ubuntu Pro security updates are also open source, which means open source maintainers are free to adopt them for the regular security updates (and some do).
If Canonical didn’t charge for those additional security updates they wouldn’t be able to pay for developing them, which would result in only core packages getting patched again. Also it’s possible to make an account and get them for free on a few devices, so it’s really not so bad. This way of doing things is better than what RedHat is doing with RHEL.
If Canonical restricted maintainer from applying Canonicals patches, I’d change my opinion. For me I don’t need security updates that badly, so I’m fine with Debian, NixOS (or Ubuntu non-Pro).