for vendor EoL’d devices, for roundabout a third of code that the device runs outside Android on them many lil chips (gpu, modem, peripherals - increasingly not the linux kernel itself) you’ll never see a security patch again unless you contract Qualcomm and suppliers for 1M for another year or two. Within Android “the framework”, you’re free to rebuild from fresh sources at any time to get patches, unrelated to vendor support. That is what’s Lineages and /e/OS meaning of support is. Once AOSP or “the framework” drops the Android major, then too it’s “legacy” for them. Crafty maintainers do ASB (android security bulletin) backports to deprecated Androids framework versions or even vendor kernels - but that is best effort. Exploits are released for AOSP and vendor firmware roughly half half, so EoL’d devices by the vendor inevitably rank up numbers of possible vulnerabilities. Strict device support projects as Calyx and Graphene axe those devices. The meaning framework vs vendor security paches in Android is represented by two different dates, one on the 1st of month, the other the 5th. The Pixels 2 vendor patch level date never moved beyond Oct’ 2020 - but it does get those 1st of month AOSP patches still. If you want to stay in the vendor support window, prepare to buy new.
it used to be delayed in previous years, got better. Others are more regular (lineageos does weekly builds) - and for the strict projects it’s a source of pride to both update both aosp and vendor firmware quickly