@markusl ah that's also something I pondered; others proposed some solutions here already.
Namely:
1. "use before date" clearly marked on the packaging
2. automated security updates, responsibility for applying them should rest on the vendor, and they have to be provided in a timely manner until the "use before date"
3. after the "use before date" cut-off, vendor can either provide critical security updates, or has to release the code as FLOSS so that they can be created independently.