There are plenty of vulnerabilities for old versions and plenty of people that don't install updates or have out-of-support phones. I need look no further than my immediate family to have multiple examples of both (yes I help them manage this). Yet I've never heard of anyone experiencing negative consequences from not updating a phone. (At least, not beyond some high-profile people that made the news.) Computers, sure. But why not phones? Is the data on there not valuable enough? Too often sync'd to a server?
I don't know but there's something here beyond the ability to install software like you've always been able to do on Android
