It isn't just carriers. We have a fleet of Samsung Galaxy phones at work (S5 through S8) and none of them have been patched beyond August 2017. My personal Nexus device has the latest November updates...
When even the biggest Android suppliers can't be bothered to protect their customers, why should you ever buy a phone from them?
My Nexus is slowly nearing the end of its useful life, with updates planned for about another 12 months. The Pixel line are just too expensive and I don't know of any third party manufacturer that keeps their devices patched to cover the latest zero-day fixes. Does anyone know of any manufacturer that has released the November 2017 patches for their flagship devices, let alone models 12 months old or older?
That is the one thing I liked about Windows Phone, it offered central patching from MS, similar to that of Apple, and the configurability of Android. Unfortunately, it was too little, too late. I have both the Nexus and a Lumia 950. The 950 is a much better phone to use, but most of the apps I use have been pulled or are unstable (WhatsApp and FitBit being two prime examples, the former seems to use a random number generator to decide whether to notify you of incoming messages and the FitBit app would lose contact with the FitBit device and you either had to re-install the app or reboot the phone several times a day...
Although I don't like the iPhone, I feel it might be the only valid option for long term support, when I replace my Nexus next year... :-(
If this initiative from Google works, it might offer some hope. You can't release an Internet connected device today and not offer at least security updates in a timely manner for the lifetime* of the device.
* Judging by the people I know, lifetime is between 3 and 5 years.