It's actually astounding, albeit hardly surprising, that companies often have zero interest in pushing security patches to devices not being manufactured anymore.
If/when it becomes a risk they must mitigate against (be that a financial or reputational risk), I guess they will.
Heck, until stagefright, Google didn't even release security bulletins. It was nigh-on impossible to keep track of all the vulnerabilities They only released security patches in new version releases. That wasn't good for vendors.
Now Google has pushed forward, and it's the turn of OEMs. They shipped patches to StageFright due to the massive bad PR (headline news in many countries, was a talking point amongst even the vaguely tech savvy).
Unless regulated or they feel they will lose money by not doing so, I don't imagine anything changing soon unfortunately. Qcom and other SoC makers are part of the problem too, since they try to drive chipset sales by only supporting older chipsets for a short time.
I have an iPhone 5 (4 year old phone) running the latest OS and it works fine. No, it's not as fast as the latest devices, but it works adequately if one desires to keep using their 4-year-old device.
While I agree that's been the case in the past, supported devices are fast enough now that it really doesn't slow them down anymore. Even the lowest supported device runs well on iOS 10, and it has gotten official updates years longer than all android devices I know of.
Sure, one could install an updated and more secure rom (assuming it exists for your device). But, the vast majority of users don't care or won't bother to go through that process, rendering it a completely ineffective solution for the general consumer market.
But even if Apple may be better than most android manufacturers, Apple still doesn't support devices it considers "Obsolete"...and there is nothing you can do about it other than buy a new phone since the bootloader is locked down. According to https://en.wikipedia.org/wiki/List_of_iOS_devices anything before iPhone 5 is considered "Oboslete" and they don't seem to be releasing updates. On the other hand, I've been happily using my Samsung S3 which cyanogenmod has been pushing latest android updates to nightly...and that is likely to continue as long as there are enough of us who care, even if cyanogen and samsung goes away.
For the record, the Galaxy S III was released in the same year as the iPhone 5 (2012), so for now your device hasn't lasted any longer than an iPhone. But I don't doubt that it will.
Oh, I'm not denying most OEMs are terrible at this—this is the massive achilles heal of Android.
OTOH, in a sense I have a higher expectation of "aftermarket" OSes insofar as they're actually pushing semi-regular updates which I'd hope would include all needed security updates.
It's actually astounding, albeit hardly surprising, that companies often have zero interest in pushing security patches to devices not being manufactured anymore.