Re: So let me get this right...
Playing devils advocate here, so bound to get some downvote by those who don't understand what one is, but....
Quote: "Nope that would be ALL 5 & ALL 4"
Why?
MS don't do that for Windows, why would you expect Google to do it for Android? Typically MS requires you to be at a specific Service Pack level on an OS to receive new security patches, usually the last one released for an OS that is still in support. The Android equivalent of the service packs, being the minor releases, x.1 x.2 etc.
Why would Google be expected to patch 4.3 or earlier, when the current (and I would guess last) release of Android 4.n, is 4.4?
If a phone is still on 4.3 or earlier, go grumble at the carrier/vendor/manufacturer.
Granted sometimes you could be hardware limited, but you'd hope a phone would need to be 3+ years old before that became a factor. Minor release 'should' be able to be run on the same hardware.
There aught to be something in law coving these things. i.e Force OS updates for the handsets within a reasonably time (say 90 days), for the life of the contract or a minimum term, whichever is greater (say 3 years min), or the vendor becomes liable for any losses incurred by the phone, for anything related to a vulnerability that was fixed later on.
e.g. If your phone is on 4.3 currently and is a carrier phone (EE etc), and a 4.4 generic image has been release for your phone, just EE haven't done their tweaking yet, then the carrier becomes liable for all losses and personal injury caused by any vulnerability fixed in 4.4 after 90 days of 4.4 coming out. Liability cascading up stream, so if the manufacturer still hasn't release 4.4 after 90 days, it's them rather than the carrier that become liable.