Just because the phone companies should be doing that doesn’t mean that you don’t account for what the current case is. My personal laptop is over a decade old, and my phone is several years old too. I am absolutely a supporter of using your old devices as long as they’re still useful, but when you start to become vulnerable to security issues on a device you use consistently everyday, you need to fix that, whatever the solution may be.
I’m honestly wondering who you’re responding to with this. Of course the vulnerabilities are software. Why would they be hardware? OP talked about how he couldn’t update the software to allow him to access an app he wanted to use. They’re on iOS, and you’re talking about Android. Do you think developers don’t debug their software at all? 99.99% of devs aren’t intentionally creating vulnerabilities in their software. We’re not talking about web development?