Another alternative would be to keep releasing security updates. If open source projects can manage more than three years support, it's not out of the question for Google to do it, at least for the major versions.
I'm using a Galaxy Note 3 with CyanogenMod 12.1 (Lollipop) and I get each month's security updates. So it appears as though Google does release security updates for existing major versions.