There's a limit to that. Kernel/middleware updates see a steady flow of security patches on basically all devices. It's true that real world exploits tend to involve some bug higher up the stack (in still-updatable software, e.g. apps or the services layer), or at the very least to be susceptible to workaround fixes there. But nothing is perfect and relying on an out-of-service device is IMHO pretty questionable.