Google could, and probably would become more malicious on deprecating and obsoleting old hardware, but that’d be a huge revenue loss for them. They tend to actively support the app layer on older Android OS versions (here’s an arbitrary breakdown from some web search: https://composables.com/android-distribution-chart ) for a very long time, as older Android is used in many embedded devices, inexpensive devices, purpose-built devices, and other places.

Keeping the Play Services and Play Store up to date on older phones means they can continue a metadata-gathering and app-sale revenue stream on older phones for many years after they “age out”.

Couple that with the fact that most “reasonable” vendors now try to support 3, 5, or more years on a piece of hardware, you should at least be able to get almost half a decade out of a phone before it no longer receives primary OS updates, and likely then another 5 or so years until they stop updating for that API level.

The ELI5-ish version of it is Android is composed of a few layers. The stuff that makes the hardware work, the stuff that makes the OS work (drawing on screen, install/remove programs, texting, calls), and the stuff that makes the software (apps, etc.) work. The part they stop updating is the stuff that makes the hardware work, and the stuff that makes the OS work. However, it’s already working, soo… Over the years, Google spent a lot of time migrating as much of Android as they could so that the apps, some bits of OS, and other things like app security could be updated even on very old versions of Android. You could turn on a phone from 2015 like the BlackBerry Priv right now, and install current apps and most things would run without issue.

Yes, there could be a slight risk that some malware comes out targeting older phones with older OSes and older hardware support, but that’s generally a smaller audience than targeting the latest and greatest phones that are way more “popular” - so not really worth it to malware peeps. The hack targets would most frequently be at the app layer to cast as wide a net as possible. Since Google continues updating Play Services and the Play Store software at the app layer, this would mostly keep people safe from the majority of attack vectors. The diversity of phone hardware really helps here.

Mostly though, mobile marketing just tries as hard as they can to create FOMO that you might be missing out on something by using an older phone.