Those security vulnerabililties are because of buggy old software, and updating the software in the old devices does as good a job of fixing the vulnerabilities as selling you a new device does. A significant e-waste tax on every new device, accompanied by credits for keeping old devices working, might help with that. Anyway, if it’s an app (rather than OS) vulnerability and you can’t fix it with an update because the new version of the app requires a new OS, that’s mostly likely an app that you don’t need to use. I’m getting by ok with F-droid apps instead of Play Store apps, for example.
Best still would be to debug the software before shipping it, so it wouldn’t have those vulnerabilities in the first place. There are various forces that get in the way of that, but a significant one is that web development is now driven by delivering more advertising rather than useful information to the user.