It's actually astounding, albeit hardly surprising, that companies often have zero interest in pushing security patches to devices not being manufactured anymore.
Heck, until stagefright, Google didn't even release security bulletins. It was nigh-on impossible to keep track of all the vulnerabilities They only released security patches in new version releases. That wasn't good for vendors.
Now Google has pushed forward, and it's the turn of OEMs. They shipped patches to StageFright due to the massive bad PR (headline news in many countries, was a talking point amongst even the vaguely tech savvy).
Unless regulated or they feel they will lose money by not doing so, I don't imagine anything changing soon unfortunately. Qcom and other SoC makers are part of the problem too, since they try to drive chipset sales by only supporting older chipsets for a short time.
Sure, one could install an updated and more secure rom (assuming it exists for your device). But, the vast majority of users don't care or won't bother to go through that process, rendering it a completely ineffective solution for the general consumer market.
