The event-centric not device-centric approach to the event taxonomy can certainly be confusing, and frustrating to reverse engineer. The connectors decide where to map something when they parse the event. The reason they aren't device-centric is that multiple types of devices actually generate those events - firewalls, IPSes, operating systems, basically everything generates a Logon for example. This makes it easier to create rules that say something like "when someone logs on using admin to anything, that's bad" versus having to say "when someone logs on to windows, or my IDS, or my firewall, or their VPN, or, or,....".
That said, there IS an event-centric hierarchy in the events - if you toggle from the alphabetical to the tree view, you see something somewhat like what you have there - where the events go:
Security Event >
Recon >
Scan >
Port Scan
vs.
Security Event >
Attack >
Network Attack >
Core Access
(this is paraphrased, I don't have it in front of me!)
The fields are inherited at different points in the tree - you might acquire fields from Scan, from NetworkAttack, and at the top level with the base dozen or so fields. You can accrue them all the wya to the end, for example, VirusAttack might be one of few events with the VirusName field.
Your frustrations are valid, it's a problem the LEM team has been trying to find a way to solve really well for quite a while. Hopefully they come up with something