Yes I could use a not updated phone because I don’t see me buy a new phone just for security updates (or even for a new android version if there is no major differences), but I would be very careful on what I install.
Actually, even if right now my phone (Galaxy J5 2015) receives security updates, I don’t think the hardware (wifi chip, bluetooth chip, etc) are updated (because Samsung or the manufacturer of those chips don’t support them anymore). So I’m already living with a phone with potentially discovered vulnerabilities. (I’m not sure about what I’m saying but I think I’m right)
Anyway, I guess Google will at least support Pie for 3 years, so you will receive security updates at least until end of 2021.