You are right, which is why I stress the time component and e-waste concerns. If combined they end up meaning that a vendor ships you a device and they need to take it back for recycling in 2-7 years when they stop providing security updates, market will force a change.

At the moment, laws are disjoint even in EU, and not strict about what happens when you stop fixing security bugs.