As the article points out Google could mandate all manufactures follow the Android one model and supply updates for at least 3 years if they want to get certified for Google play services.
The governments could also pass laws to make manufactures list how long they will supply software updates on their advertising for new handsets, so buyers can be better informed before purchase.
And finally consumers can choose not to buy phones from manufactures that don’t provide updates. I replaced my phone with a Nokia last year and one of the reasons was that it came with Android one and I would get 3 years of security patches.
One other issue though is that a lot of users don't even know that their phone should be updating with security patches. People like my elderly parents who only fairly recently got their first smart phones would have no idea that they should be getting regularly download security updates on their phones. So the manufactures can get away with not offering them.