4 years was the longest that I kept a phone. 3 is more typical for me, unless an unfortunate drop takes one out, as it happened with 2 of my past devices.
However, a Galaxy S9 that I used for just 2 years did get passed down to my youngest son last year and he's still using it today. I think it could handle up to Android 12 (stuck at 10), and it sure would be nice if it at least still got security updates - but that's done too.
Realistically, I think they should offer at least a minimum OS update timeframe, and call it 5 years with security updates 2 more after that. Let that be the standard, with further OS updates based on what the device can handle and what the state of the OS is at that point. I mean, if it can handle another year or two or five beyond that, great. Don't just cut them all off at a set time.
That's just my take.