I find it funny you think your vendors are somehow required to push updates to your device. They're not.
Next time before you buy, check the support list of a custom ROM.
Don't buy any no-name chinese crapware, then install some other custom Android OS, and be done with it.
Vendors are definitely not required to push updates, but they probably should be. It is pretty irresponsible for vendors to continue selling phones with known vulnerabilities, or ignoring vulnerabilities and not offering patches.
This is not unlike an automobile firm allwoing known safety related flaws in their cars to persist because it is too expensive to fix them. I'm looking at you GM. In this case the "safety" flaws are not life threatening, but are a threat to our privacy and security. The recent StageFright bug is a good example. This flaw not only compromised the usability of the device, but potentially compromised users banking and credit information. Plenty of phones will NEVER get patched and users will continue to use these shitty, vulnerable devices.
This is partially Google's fault for making Android so mutable; it's crazy hard and expensive for manufacturers to keep up with patches and there's no incentive for them to do so. That's not an excuse for us not to hold them responsible. We certainly expect our cars to not explode in our faces throwing metal shards into our eyes and thorax. We should hold phone makers to the same standard. We should expect that known security flaws will be patched and not ignored.
Will this increase the cost of phones? Probably. But would you rather have a slightly more expensive handset that gets security updates, or use a phone that's woefully out of date. If you are in the latter category, you're probably reading this in Internet Explorer 5 on Windows XP and in for a shock when you open your retirement account and find a balance of $0.00. Or worse -$53,000.99.