My limited understanding is that smart phones also have firmware that is distributed by the manufacturer that also requires security updates. So grapheneos takes care of the operating system, but google would need to provide the firmware updates. I think this is one of the reasons why the graphene docs recommend a pixel 6/6a, as they have an unusually (for android) long support life from google - 5 years or so.