I think on-package labelling is a good approach. You could also make the retailer liable for a lack of updates - just as they typically already are with defective products in most jurisdictions.
Yeah, this isn’t that different than the food “best by date” requirements, and in most cases (despite popular belief) the likely consequences of eating old packaged food is not even getting sick, just staleness. Arguably, having exploitable electronics that are “expired” is a greater danger.