doesn’t seem like this’ll be much of an issue for Apple, as plenty of others have already pointed out. they fare perfectly well with security updates for older OSes & have never kept it a secret what their timeframe is for devices becoming vintage/obsolete (though I get this has more to do with software than hardware, a device attaining such status implies it will not receive major software updates, simply critical security updates as-needed).
as far as reporting on security vulnerabilities goes, it’s my understanding Apple’s done better with this in recent years as well—even if what they do with the information they’re given does leave a bit to be desired…