The guys over at lineageos.org are busy rolling out 15.1 builds (that is android 8.1) and even provide builds for my somewhat aged Nexus 4 (reminder: from 2012) so i still get the “new stuff” and security updates for that device.
There were discussions about IoT devices and making regulations so manufacturer of devices are require to at least provide security updates for a certain timeframe but sadly no regulation was passed so far.
IMHO we need to enforce security updates for 5 Years for most devices lime IoT for smart home, smartphones etc … having manufacturers put a label on the box with the timeframe where he will provide software updates and security updates should have a good chance at getting manufacturers to compete with longer timeframes, reducing the number of devices that gets thrown out simply because they are not secury anymore.
Just to give another example:
@work we had a video conferencing system. Of course that was outdated after a few years, but was technically still working ok. Just a small hitch: No security updates from the vendor without maintenance contract, and after just 5 years no updates whatsoever since the product was EOL. Let me remind you, that is something that needs to be online to be useable, and is publicly reachable. And not cheap at all that thing was over 10k €.
It should be illegal for devices that require to be online not to provide security updates for free, and for a reasonable timeframe considering the price range the device is in.