I can totally get behind them having to enter into a legally binding statement, given that it increases the transparency allowing me to make an informed decision as a buyer.
However I still have difficulty in the grey area between "security" and "other" update...
Well, sure its grey but it's a finite and definable quantity
Addressing known and reported vulnerabilities would be a start - many routers and phones have known vulnerabilities and can be pwned in minutes.
Then I would include degradation of service - example, I have samsung bluray box that came with YouTube functionality. Withing 1 year that didnt work any more because of changes to youtube.
Withing a period of time they should be judged to maintain such software degradations.
However I still have difficulty in the grey area between "security" and "other" update...