> The 5 year clock should start from the last time a consumer purchased the product new...
Obvious problem - how could the manufacturer determine (let alone control) when, literally, that happened? They might tell when their major distributors and online retailers ran out of stock...but small distributors and bottom-feeding resellers and mom-and-pop retail? Impossible.
On-package labeling ("Software security updates for this thingie will be available until at least Dec. 31, 2029; also check our web site at https://support...") would be the only fool-proofish method.
I think on-package labelling is a good approach. You could also make the retailer liable for a lack of updates - just as they typically already are with defective products in most jurisdictions.
Yeah, this isn’t that different than the food “best by date” requirements, and in most cases (despite popular belief) the likely consequences of eating old packaged food is not even getting sick, just staleness. Arguably, having exploitable electronics that are “expired” is a greater danger.