Re: "to target older versions of Android that are no longer being patched "
If companies slowed down a little on developing and releasing new hardware (often that is not really significantly different from the previous version, or other products in their range) they might be able to a) spend more time testing and deploying security updates, and b) stop needlessly polluting the planet by manufacturing the pointless multiple new hardware revisions.
Knowing what most people are like, they get attached to their stuff and don't want the hassle of choosing and migrating to a new device every few years. I wish I could bung HTC a few quid every year to get access to security updates for my phone. But instead I have to throw it out and buy a new one every few years.
A few software devs have got to be cheaper than the vast amounts they must currently spend designing testing and building new hardware every few months.
That model would take some selling at present, but sometime soon the collective security awareness of the world will demand it. Surely?
If not, legislation will be needed.