There is no way I'm going to be continually looking for new incoming CVE that affect my old phone and making sure I have solid workarounds. The risk is too high that I'd miss one, mess up a fix, and then be vulnerable. And even if the risk wasn't that high, we're talking about a lot of time sunk into looking through security postings and verifying my own fixes/workarounds. It doesn't have to take too many minutes per year before it's worth me buying a new $130 moto E or whatever. As in like, 1 hour per three years or something.
This is the same reason why I don't run a computer OS at home that isn't patched to the latest security updates. I am not going to run windows XP at home and just disable / find workarounds for every single one of the probably-thousands of risks. That's insane.
That's a total straw man. You don't need to keep up with CVE. You really think I learned about e.g. StageFright through reading CVE or expected you to do that? If there's a serious vulnerability that actually needs your attention, you will read about it in the news (certainly on HN, most likely also the general news if it affects a sizable population). You will become aware of it somehow, most likely before a patch is even released. You won't need to put any time into it until it happens, and even then the mitigation (like e.g. disabling automatic MMS download here) will usually be far faster than the time to buy a new phone, set up your apps again, and move everything over. Not to mention that the phone you buy won't be updated to that very day anyway, so you'll have more upgrading to do soon after. Seriously, you're way blowing it out of proportion.
> If there's a serious vulnerability that actually needs your attention, you will read about it in the news
The ol' security through tech press approach. Seriously though, you can't have the security of your devices dependent on whether or not someone has come up with a catchy name for their exploit. The exploits with names like broadpwn and stagefright are the exceptions, not the rules, there are plenty of critical CVE's that have never had cool names or tech articles written about them. Even if an exploit has a cool name and some press, what if people don't upvote it when it gets posted here (or reddit/wherever)?
You seem to think that a security hole being "critical" implies you need to care about it. You do not. You only need to care about actual threats, not mere security holes. A "critical" CVE that nobody exploits is pretty darn pointless to worry about, just like how the fact that cellular communication is plaintext isn't really tickling too many people because the average criminal isn't using a Stingray. And an expoit that becomes widespread will get the press attention, precisely because people will want to know about it. (Unless you're the kind of person who's always one of the first few to catch a virus, in which case either you're a security researcher, or you're looking for trouble, or you're hanging out on the wrong networks...)
This is the same reason why I don't run a computer OS at home that isn't patched to the latest security updates. I am not going to run windows XP at home and just disable / find workarounds for every single one of the probably-thousands of risks. That's insane.