Android Security Is a Joke
This is the way Android security works as I understand it. Please correct me if I'm wrong. If you buy a Google Pixel you will get guaranteed security updates for 3 years from the date of release of the phone model- as soon as Google fixes any security problem. After that you're on your own.
If you get a phone with Android One you will also get guaranteed security updates for 3 years from date of release of the phone model, but not on the day Google fixes the security problem. Google will announce the security problem, then hackers will get a few weeks to work on something until the OEM gets around to putting the fix on your phone.
If you buy any other Android phone you are entirely up the OEM. Best case - security updates for a few years released by the OEM weeks after Google announces the fix. Worst case - no security updates at all.