The European Union has the Cyber Resilience Act, which will most likely become effective / mandatory by the end of 2027.
https://en.m.wikipedia.org/wiki/Cyber_Resilience_Act
Skimming the regulation text, it seems it requires the manufacturer of a connected device to report on and quickly fix vulnerabilities within the device's "support period". The support period for device classes still has to be determined, but it seems it is a vital requirement for a device to get a CE certification (without which it otherwise is not allowed to be put on the EU market).
These devices were produced back on 2011 I believe. Even with the CRA, I don't think much would change. A decade is definitely the high end of reasonable required software support for cheap budget NASes in my opinion. Of course stores would be forced to stop selling any remaining stock of them, but I doubt that's much of a problem, really.