Interesting. The histogram is drawn from index data - basically aggregate counts that are stored separately and contribute to the left and the top panels. Result details is pulled from the actual data stored on disk. The CSV will always match result details, since those are the actual results retrieved for that time frame.
The question as to why they differ is totally valid, though. One possibility is in cases where LEM couldn't pull the right timestamp it puts them in "current time" as to when they were read, which could make them out of sorts. Unlike with normalized data where we have multiple timestamps, raw data ends up having to trust and store the timestamp from only the log (or time the log was read if one is missing). CiscoFirewalls is NOT usually one of those cases, usually the timestamps there are pretty reliable.
Another possibility is that the histogram isn't accurately refining data to match your search and is showing more results, but that would be a bug IMHO.
Log messages doesn't get used as much as normalized search, so you might want to log this as a bug anyway. The assumption that result details should match the histogram is absolutely fair.