More like Qualcomm doesn't want to spend the money to do it. Google can't update the binary drivers and firmware that Qualcomm gives them. And Google only has so much leverage in order to get Qualcomm to provide updates to older hardware.
Sure, Google could release newer Android versions (assuming they'll run under whatever last kernel version Qualcomm provided support for, which isn't always the case), or at least release patches for flaws in Android itself, as long as they'd want to, but after the chipset support runs out, they can't update some drivers and firmware. I think it's not unreasonable to just declare those devices as insecure and move on.
Google has managed to get support up to five years, but only on newer Pixel devices. I'm sure that wasn't an easy negotiation.
Apple, in contrast, builds all the hardware and software in iPhones and iPads, so they can decide to support devices for as long as they wish.
Actually, it is Google’s fault. Had it insisted that all OEM vendors upstream the drivers it’d have happened long ago. Especially because of Google’s monopoly on Android. The thing is - it’s in Google’s interest to obsolete these devices so that people buy newer devices with more Google “features” (which in turn are designed to collect more and more data about the user, the whole Google Android being the 2nd largest advertising platform for Google, after the “search” engine)..
> I think it's not unreasonable to just declare those devices as insecure and move on.
1. The lockscreen bypass security flaw of last week is major compared to any flaw Qualcomm currently have.
2. Apple still updates devices hit with checkm8, so maybe security doesn't dictate everything for them. Not sure why it needs to for Google.
3. What does security has to do with getting Material You to my device? (to give just one example). Maybe the idea is that if a device is insecure, then it must get to the trash bin...? I hope not.
Android 12 requires Linux 4.4 for proper networking and cgroup handling, which the Pixel 1 doesn't support. Skipping those requirements isn't a good idea.
