These are massive companies with revenue in the billions of dollars. If this was regulated, they would figure it out. Frankly, in a lot of cases, it's their own fault that phones aren't updated anymore, not because of any inherent difficulties. If a handful of volunteers can push the latest Lineageos to 7 year odl devices, then Samsung can too. It's just that they have no financial incentive to do so and there are no regulations forcing them to implement what's necessary for long-term support.
This will put many smaller brands out of business, driving up prices on the poor. Most lower end brands barely make a profit as if (often selling at a loss when doing sales).
They don't even have to do their own security updates. If they stick to vanilla Android, they have much less work than if they customize the ROM for every one of their devices. There might even be an industry-wide push for Google to make it easier to update phones independent of firmware blobs (beyond project treble), because suddenly there will be financial incentive to push as much work/effort onto the most obvious candidate.
Random updates can break capability with the firmware if anything that firmware relies on in the kernel changes. Would still require them to fully test every function before each update.
They have no financial incentive to do so because people don't care. So why should the government try to substitute its own remote, bureaucratic judgement?
People generally don't see long-term or on a societal level. Do you think most people wanted seatbelts or the founding of the EPA? A lot of times these are issues that are outside the purview of individuals, outside of their visibility. Most people only care about a small number of things like where their next paycheck is coming from and what to wear going out tonight.
