The EU is working on a law that forbids selling devices with known vulnerabilities. This means manufacturers will either have to patch their stuff quickly or risk getting their entire lineup banned from sale if a serious security issue is found in their hardware. Stores will probably demand support lifetimes as well or they'll be stuck with unsellable stock once a company decides that three years of updates turned out to be too long after all.
I think further provisions are necessary, such as source code escrow; once you go out of business or drop software support for a product, the entire code repository should open up to the public to fix it themselves, including the necessary keys to load the replacement software. It shouldn't matter if you use the same code base for other devices that you do support, if you're maintaining that code you may as well push those fixes out to older devices.
The biggest issue with phones and tablets is that often the problem lies within kernel driver that the manufacturer has no control over. Qualcomm and friends are the biggest crooks here, sometimes dropping software support for their chips after only two or three years, with no realistic alternatives for sourcing SoCs.
I think further provisions are necessary, such as source code escrow; once you go out of business or drop software support for a product, the entire code repository should open up to the public to fix it themselves, including the necessary keys to load the replacement software. It shouldn't matter if you use the same code base for other devices that you do support, if you're maintaining that code you may as well push those fixes out to older devices.
The biggest issue with phones and tablets is that often the problem lies within kernel driver that the manufacturer has no control over. Qualcomm and friends are the biggest crooks here, sometimes dropping software support for their chips after only two or three years, with no realistic alternatives for sourcing SoCs.