Carriers monkey with the OS/apps, then the carriers should fix them. It is high time that the law treats this sort of thing as a fault to be fixed for, say, 5 years after last sale. For everyone, so no supplier can wriggle out and not have to pony up to fix the damn software.
Five years is excessive. I'm not sure if the length of the warranty is really the problem. As you point out there are a lot of parties involved in any rollout. The law should be used to streamline the distribution of security patches. The threat of legal action backed up with stiff penalties can work wonders.
This might be good in getting the carriers out of the mix, to which they add so little. Manufacturers might also be forced to pool resources for development or otherwise face a levy to a statutory body.
Some thought would be need to given to older hardware which is no longer able to support the latest version of an OS. Backporting will only work so for so long. Might have to introduce official restrictions on older hardware. It's not really that different to phasing out things like analogue mobile phones. Carriers should be able to enforce this.
Just some ideas.