> Certain chip vendors are notorious for not providing fixes of this kind to the manufacturers to roll out (maybe doing so selectively based on who they're extra special buddies with), if they ever even made them at all before moving on to the next shiny SoC.

Never heard that before. Chipset vendors are under maintenance contracts with their customers, so they are actually PAID to provide fixes especially for CVE's. Manufacturers on the other hand have little to no recurring revenue from a device which could finance to implement, test and rollout each patch.

Care to provide a concrete example for your claim?, especially for this "extra special buddies" suggestion which insinuates that a chipset vendor developed a patch and still doesn't provide it to all its customers...?

If the chipset vendors never provide fixes except to customers that ask, and the customers never ask because it costs reimbursed money to do something with them, from the point of view of the end consumer, the chipset vendors haven't provided the fixes.

In PC hardware, the expectation is that most drivers are available both from the manufacturer of the device, and directly from the chipset vendors. Some chipset vendors don't play that way, but most do. In mobile, the expectation is that drivers only come from the device manufacturer and if there's no updates, it's hard to figure out who's at fault because there's no transparency.

For like 2 years per chipset. That's not very long. Also since every customer has its own kernel branch, not all of them get the fix just because it was made in one branch.

This is somewhere between scarily naive and horrific bait.