Its ridiculous that Android phone I bought a year ago will never get a security update.
Part of this isn't due to Android, but to hardware manufacturers - drivers aren't avaible / updated.
The current tendencies for chipset manufacturers is to fork whatever Linux kernel version happens to be the base of the Android Letter of the day.
Then slap some binary drivers on it, and call it a day and never ever touch it again.
Hardware manufacturer come, and to be faster to market, basically just re-adapt an existing board design from the chipset manufacturer, and quickly botch some android user space on top of the above mentioned kernel. Once they sold the smartphones to retailer they abandon it and move to the next model.
By they time you want an update for your phone, the phone's manufacturer might not even exist anymore or they might have abandonned it long ago. Even if they wanted to make updates, there would by then the problems of getting a newer kernel + userland drivers set - but the chipset manufacturer has completely abandoned it.
Google might be happily still providing newer versions of android and fixes (currently all the way back to Android KitKat), it will take some tedious work by the people of LineageOS (formely CyanogenMod) to build an image you can actually use... ...as long as your phone will actually authorize you to flash it.
Moving to another OS isn't going to fix these troubles : you'll still be bound to the same binary drivers (running thanks to libhybris adaptation layer, because you want an actual GNU/Linux OS instead of the weird Android user space and driver API).
Case in point, the original Jolla 1 smartphone by Jolla Oy. It runs Sailfish OS (a descendent of Nokia's Meamo/Meego, and cousin of Samsung's Tizen).
As of 2017, the os itself is still getting the same upgrades as all the other devices officially supported by Jolla Oy (currently 2.1.1, with 2.1.2 coming out soonish).
But you're still stuck running on the Jolla whatever Linux kernel (3.4.xx) Qualcomm happened to fork back when they developped the drivers for the onboards Snapdragon 400.
And thus the provided android application compatibility (Aliendalvik by Myriad) is limited to Jellybean, not Kitkat like on the other devices supported by Jolla.
The only exception are a few chipsets by Intel (official upstream drivers in kernel - but they exitet the smartphone market), by Qualcomm (some of their GPU can work with Freedreno driver, if you're lucky) and a couple of chipsets by Freescale (some of their Vivante GPUs are supported by Etnaviv driver, or support could be comming soon. That's part of the reasons why they got picked up by Purism for their Librem smartphone).
But none of the sexier more powerful chipset is currently supported well enough by opensource drivers. Thus you're still stuck with manufacturer-provided, outdated "android" linux kernel and drivers.