CVEs are important but I think the question also refers to flaws, and project's ability to respond to them. Indeed, during any security assessment a company could encounter flaws. Later being referenced as CVEs.
Project's member can easily ignore working on a report of a flaw found by a legit person online (or even during any security audit performed from another company) because they have other work priorities too. (It's like solving a challenge when you have another mission assigned to you.)
This applies to companies too. The one I work for evaluate the risk and if it is evaluated being low, the fix is not a priority. When browsing a project's CVE page list you can observe many are considered low or medium risk.
Although both the OpenBSD and FreeBSD projects are not companies per say, they suffer from the same syndrome: Overwhelming.
The only difference is "how overwhelmed you are".
Comparing both projects sizes and responsibilities, we can assume FreeBSD's one might be prone to overwhelming. Or at least, easier overwhelmed than OpenBSD.
But, if they are not overwhelmed they can allow themselves to fix and patch quickly any flaw reported, no matter if it's a low or very low risk.
Both have different Security policies. Yes OpenBSD is the more secure one could afford... yet. But I don't know if they could handle as much market share as FreeBSD.
Now, let's compare both OpenBSD's and FreeBSD's policies.
FreeBSD has a very strict and rigorous security policy involving many intermediate levels from when the flaw is discovered or reported and then disclosed.
While OpenBSD find bugs and fixes them.
On one hand, OpenBSD security team members are ahead of the flaw. Because they detect any bug and fix it no matter if the bug could be a potential vulnerability or not. On the other hand, FreeBSD security team members put all their effort in fixing and patching, without hesitating contacting (or requesting) external experts to the FreeBSD's project.
Answering your question, I do think CVE stats can be used to compare the security of OpenBSD and FreeBSD. Basing yourself on the CVE stats helps you choose between two products. OpenBSD offers a dedicated security team member fixing bugs one by one and FreeBSD proposes a security team working on fixing flaws. You can then choose if you want a project with fewer people working intensively on preventing flaws or a project with more people working intensively on fixing flaws. Both security policies are good (IMO) and the number of CVE demonstrate FreeBSD's security team capacity to provide response. But the number of CVE for OpenBSD indicates project's security team's workflow is doing great.
To me, comparing both OpenBSD's and FreeBSD's CVE list raises a question: "Which one do you bet on?".
I have seen many people choosing OpenBSD over FreeBSD because "they have fewer CVEs assigned". Without understanding how it's security policy works.
Many users ignore why OpenBSD's project has fewer CVEs.
But many choose to ignore that FreeBSD can be hardened the way you want.
According you only choose an Operating System based on the security policy. I know, one should not choose any OS just based on one argument but many think the opposite way.
CVEs are the result of a flaw report and a sometimes a disclosed fix, but the flaw can be frozen by a company too. (Leading the flaw to be known to little and some consumers are alerted before others, so the information security professionals from those companies could help fixing it prior any public disclosure)