If may just may add to the discussion.
I do believe security and upates are important. I would like them faster. But, I use my phones until they fall apart, which, credit to the manufacturers, is usually way past end of support. So, a brand that offers updates for longer has my preference.
If I take a step back and consider that there are enough potential leaks for Google even to be able to put out a security update every month, this means that in general my phone is not safe. There will always be an attack vector that we don’t yet know about. And we won’t know how long it will have been out in the wild until it is caught en patched. It’s not like hackers wait until the previous lot is patched before they search for a new one.
In short, for me the sheer amount of vulnerabilties lessens the stress on timing a bit. These days social engineering and external companies not storing your passwords safely are a bigger threat for the average user.
If you work for a company that is the target of ransomware, I can understand an extra level of vigilance towards smartphones, especially for key personel.
Are we, the it security conscious people, equally vigilant with the air pressure in our wheels, the time of day we go out, the amount of hours we slept before driving, the expiration dates of our food, our weight, smoking? Some of these things could actually kill us.
I won’t buy a phone that doesn’t offer updates. The tempo can be a bit slower for me.