Comment by d3Xt3r

Replacing the OS is only one part of the equation, it doesn't mean you're replacing the low-level firmware blobs provided by various chipset vendors (like Qualcomm).

For phones before the Project Treble era (~2018), the OS, the kernel, and the vendor blobs were all deeply intertwined with each other. Because you can't get newer blobs from the hardware vendors, it's generally not possible to run a newer OS on those devices. Community-made custom ROMs (like CM/LOS) had to rely on hacky workarounds to get newer Android versions to run on older kernels, which lead to stability issues and the famous "what works/what doesn't work" meme.

For Treble-supported phones, the OS framework is decoupled from the vendor implementation. This means that you can run the latest OS (using a Generic System Image) on top of the older vendor blobs. BUT you are usually still stuck with an older kernel, as those proprietary blobs still rely on the vendor's specific kernel drivers, although it's a bit more stable compared to pre-Treble due to the decoupling and the standardised vendor interface.

In either case (pre/post Treble) the main problem is that your low-level firmware remains permanently out-of-date, which puts your device at risk. An up-to-date OS can mitigate application-level risks, but not all of it. For eg, it cannot protect against attacks targeted towards the baseband modem, the Wi-Fi or Bluetooth controllers. If a vulnerability is found in the cellular modem firmware (like the infamous Broadpwn or Kr00k exploits), no custom ROM or other OS (PostmarketOS etc) can patch it because only the chipset OEM has the source code to update that specific chip.

So unless all the various chipset OEMs come to the party and either release the sources or provide updated blobs, these devices can never be trusted for use in a production environment.