Apps do get updates, but they aren't the issue. The system/kernel/system libraries don't get updates and if they are compromised all your apps are compromised too. If someone know a vulnerability only in a normal app he can't do anything but look at only this one app, with system access well he can do way more.

(Also Android got some additional security/privacy features after Android 4)

But the thing is, even if 100% of your apps are vulnerable, it doesn't mean anything unless the attacker can reach your phone somehow. That can only happen in 5 different ways: (1) Low-level Wi-Fi bug exploit, (2) SMS exploit, (3) Cellular exploit (like a Stingray), (4) Cellular internet connection (open ports, etc.), (5) App-level exploits.

I don't know of any critical examples of #1 that I would need to protect against where upgrading is my only solution (maybe I'll upgrade if I find one). #2 can be mitigated at the app level (see my reply to the other comment here) and probably faster so than the update you'd receive. #3 can't really be mitigated by phone updates. #4 is impractical since cells are behind carrier-grade NATs and don't have dedicated IP addresses to be reachable via the internet. And #5 just involves updating the app, not the OS or hardware.

If you can give me an example of an actual attack that cannot be prevented without upgrading the hardware or the OS, I would find that far more convincing than a hypothetical.

A) I don't know. How would you ever know? RCE can be silent.

B) Yes, in Android patch level July 2017 and iOS 10.3.3.

They had a video of playing Unreal Tournament (the new one) on a Talos 1 with a AMD card.

As long as a card with Open Source driver support gets used it should work mostly fine. Back then they need a 4line patch to play ut4.