Napping.Synth.DownloadGoogle, to their credit, has finally gotten to a point where this is achievable (on the software side) on Android. Project Treble, Project Mainline, Generic System Image, and Generic Kernel Image have worked together to make a device feasible to support at least 5 years in security, and up to 8 years for flagships.
Now if only they could mandate unlockable and reflashable bootloaders.