[enachtry]

Not like that. There's a much simpler solution. Make it mandatory to have written on box just like any other tech spec, the minimum date until when security updates will be provided, the cadence of updates and their nature (e.g. for Android could be upstream updates).

There is already legislative warranty framework around compliance to promised specs. This means if the date is not honored, customers can turn against stores and return the products. Stores can then return against distributors/manufacturers, etc.

Also forbid sales of any network connected devices (phones, tablets, TVs, routers, etc) past that date because it's a wide security risk, particularly for people who are IT analphabets.

You'll then see how spectacularly quickly everyone lines up to security update schedules and standards. They will also find a way to prolong the date for devices that sell well.