Apart from the fact that the only answer right now for security-conscious android buyers is "get a Pixel" (I'm exagerating, flagship from a few vendors are good to go for 1-2 years), this is once again a reminder of the damages of binary blobs, here directly for consumers (they have non-updatable security holes).
Actually Android One devices are also guaranteed (inasmuch as the tiny text at the bottom of the Android One website [1] says) three years of security updates
> Monthly security updates to be supported for at least 3 years after initial phone release.
(scroll down to the bottom of the page and look for the double asterisks footnote. I don't know why they want to hide what is IMO the best reason to get an Android One device)
Good point. They previously removed this language from the website, glad they put it back. So yeah, buy an Android One at launch is good advice for the 3 years of security support.
It's still a short window IMHO, and it's bad for the planet to throw working devices after 3 years.
