This hits the nail on the head. ProjectTreble thing will make no significant change in the long run. OEMs don't care about updating Android, they only care about selling hardware and developing shitty custom launchers.
Google is the only one that could change this. They could "tie" the Android licensing (Play Store and their custom bits) to forcing the OEM to release n major version updates . But they won't do this because it will hurt them financially (less licenses sold in the long run..)
However, when Google would make such a move then they will see Samsung leave immediately and Huawei shortly thereafter. And Samsung makes 50% of Android devices - it will be a very hard business decision to justify destroying their ties with Samsung over device updates [1]. Note that Samsung periodically trots out their Tizen operating system to remind everybody that they can be independent of Android should they want to. Huawei will probably just fork Android and attempt to maintain their own app store.
The Android device market is rife with politics and the consumer is mostly on the short of the stick for it. And Apple is the real winner there - they can sell more expensive devices because people are rightly happy to pay a premium not to deal with Android's bullshit.
[1]: Ironically, Samsung is likely the best Android OEM for device updates - if and only if you consider their high end Galaxy S and Galaxy Note lines. The real issue is that Samsung wants to also flood the market with cheap crappy devices and never update them - and will likely happily ditch Android for Tizen to continue to do so.
Shame Google wasted a lot of capital they had trying to do some really silly things in Android for a few years, and didn't lance this boil while they still had the chance.
Some smaller vendors might appreciate that these responsibilities are taken away from them. Sony, HMD/Nokia and Lenovo/Motorola are basically only adding some apps, themes and tweaks to AOSP at this point anyway, but do tend to have relatively good update reputation (or used to). But other vendors will not appreciate giving away this control at all. Some vendors are likely partially motivated to not have devices updated in the first place.
So will Google make such a ballsy move? They themselves barely have good business reasons to do so. Android completely dominates the market anyway, without Google upsetting the politics amongst the vendors and pouring money into doing things that vendors refuse. It seems Android's bad reputation in regards to updates doesn't really hit anyone that hard.
Having said that, Project Treble does seem to be a move in that direction. Maybe Google cares enough about theirs and Android's reputation, or maybe they even care enough about being responsible. Maybe they'll make "Windows Update for Android" an opt-in thing for vendors. Maybe there are other ways they can create a more responsible market (and better repution for Android) without upsetting vendors. Let's hope they find a way at least.
I heard from "Security Now" podcast that there is a new law that require all government purchased IOT devices must be update-able to fix security issue.
Expand the law a bit:
Make all internet connected device makers (Include phone maker) liable for any loss of private consumer info, hack for 10 years from any internet connected devices release.
Anyone can file lawsuit against them easily or in class actions against the vendor if they don't provide security fixed/upgrade within 4-6 months of from being notify of the vulnerability.
Establish an ISO security standard for IOT (and all Phone): such as
1) Standardize SW/FW update requirement, method and audit. ssl, security hash, CA, etc.
2) Requires system to monitor and log all program/critical system components creation/execution/all internet connection and download for auditing by owner of device.
3) Require system vendors to have source code / tools chain / build system in place to rebuild and fix security issues.
Once the vendors are liable for hack. They will need Insurance. The Insurance Company can follow the ISO security standard to audit and estimate the potential cost.
