> Why not both? There is no compromise needed here.

You're assuming that it's actually feasible to keep old devices up to date for that long. It may well not be. It gets substantially harder to maintain old branches the further mainline has diverged from them. The original engineering team has typically long since moved on. The magnitude of the issue, here, can be on the scale of "we now need several times as many engineering teams".

This isn't a matter of "security updates would be better than no security updates". This may potentially be a matter of "security updates for four years is economically feasible, security updates for seven years isn't". (I'm not saying it is infeasible, just that it may well be.)

Thus a neat effect of such a law would be that SOC manufacturers would not purposefully break compatibility as much as they do now. Sounds like a win-win to me!

Or, much more likely, they'll continue building new hardware as they do now, and let the length of software support for old hardware in one particular market be a software problem for the vendors selling into that market.

Don't assume that attempting to solve a problem with a law can only have one possible outcome, and can't possibly have a different outcome instead.