That was the whole purpose of Project Mainline [0], which turned many critical system components into modules that can be updated through the Play Store regardless of manufacturer and OS updates.
Media codecs is one of the first things they turned into a module, specifically for this reason; it is one of the biggest source of security patches. I actually remember hearing a stat that 90%+ of security patches are limited to a very small handful of components (media codec, crypt lib, network stack). So by turning those into modules that can be updated independently of the OS, all Android devices get to benefit from it, even years after they're abandoned by their OEMs.
