Re: They'll fix it, but users won't get it
"Users of anything other than brand new models will never get the updated Android with security fixes. "
Untrue. Google have been moving parts into updatable modules via play services. BoringSSL is a serviceable Google play module, as is much of the media playback library. All android devices get these updates.
Most phones get reasonable patching, my wife's 18 month old Samsung S3 got March 2017 update.
What the real agenda is, is purple are hoping to get full version android upgrades on old devices, that's simply not going to happen, even apple don't do that (not even after aging apple premiums), they pretend they do with feature lite pretend updates, that have the correct number but missing key features