Although Google are now promising 5 years of support for Pixel phones, Pixel phones are not a core business for Google, and as they have shown many times, Google will end projects at the drop of a hat with no regard for their customers.
There are secondary Android companies like Samsung that promise long term security updates, but are always behind the publishing curve compared to Google. This means that malicious actors have the opportunity to study Google’s published updates to reverse engineer cracks that they then exploit.
The current Android security update model is inherently insecure due to this issue. Until manufacturers are forced to update in a timely manner ( by which I mean simultaneously with Google) I won’t buy another Android phone.