[binarycrusader]

It isn't a non-event; you may not get some (or any) security fixes because the vendor didn't provide the latest Android update.

Given how much many people depend on their phones and how much information they usually have on them, I think security is pretty important.

That's why I got a Nexus 5; I'm confident I'll continue to see updates for some time.

[zmmmmm]

This is the really important point. We've been protected so far by the fast evolution of phone hardware and the mass migration of people to smart phones. It's hard to perceive it but the game is now changing: we're into an iteration of phones now that the masses are purchasing that they may well hold onto for 5 years+. If security updates stop after 1.5 years, that's a terrifying mass of insecure phones holding everything from email accounts to bank details. Google can update a lot of things via the Play Store, but they can't patch kernel vulnerabilities or driver exploits.

Google really needs to include in their play store agreement some kind of requirement to ship critical security updates within a defined period of time. Yes, that's going to hurt - the maintenance burden of shipping an Android phone is going to rise dramatically if you inherit a burden of 5 years of updates. But then, critical security updates should be extremely incremental updates that rarely involve any functional changes to the user.

I'm not sure how the Android ecosystem is sustainable without something like this. At some point there will be an Android security apocalypse: an exploit that can't be fixed without a kernel update that affects hundreds of millions of legacy phones that have been abandoned by their makers.

[Touche]

I don't know why you feel confident, the old Nexuses stop getting updates too. They get them slightly longer than the average Android phone, but not by a lot.