Sony aren't much better, unless it is for their permium phones.
I have an Xperia SP, which I have owned for about 2 years, and still works fine, and does pretty much everything I need it to. The only exception that the internal flash storage is getting full, mainly because the thumbnail cache for the Album app. currently sits at about 1GB of the internal flash used.
Although 4.4 was originally promised, it never happened, and Sony are saying that they are not intending to issue further patches for 4.3 on any device. And that's ignoring the ISP.
The problem is, as I see it, that consumers who do not want to update their phone every year are being left stranded with nowhere to go apart from something like Cyanogen.
I tend to pass my phones down to my kids. Until recently, I had a Samsung Galaxy Apollo running 2.3 and an Sony Xperia Neo running 2.4.3 in use by my kids (the Samsung finally give up the ghost a few weeks back) and I tend to keep phones for 2 years before moving on.
But I look at the phones that I may move on to, and very little in the midrange that I'm looking at is much better than my SP, and those that are are generally still running 4.3 or 4.4, so may already or could soon enter the unpatched category. I don't value a phone enough to either pay £200+, or enter into a £25+ per month contract that would get me a higher end phone that is likely to remain patched for any length of time.
I think that there should be regulation that forces updates for a minimum time, at least as long as the longest contract, from the point of initial sale or supply rather than introduction on all devices that could be vulnerable (something like at least four years from introduction or two years from sale, whichever is latest)