How often do older devices get breached

A meaningful answer would require specificity about “older” (5, 10, 20+ years?) and would have to be broken down into manufacturer / major software / use case / target market groups. Also… would you include breach reports for software in the statistics? For instance, if an Adobe app was breached and leaked user account data, but it only affected devices running an older version of Android, is that an Adobe breach or an Android breach, or both?

and is there any way to continue using an “older” device safely

Basically, once a device stops receiving security updates from the manufacturer it should be considered untrustworthy. The only caveat to this would be if you knew the hardware (CPU/APU/GPU, storage, RAM, and especially NICs and TPMs), knew the firmware for all of it, knew the software running on top of it, knew that it had been audited, knew that there weren’t any major unpatched vulnerabilities for any of it, and probably limited its use to known/trusted networks. That’s a lot of work and some of it is probably impossible due to proprietary hardware & firmware.

But you’d also have to weigh all of that against your threat model like I described above. The question is always “How much effort would someone put in to hack me?” There is never zero risk, even with a brand new, fully up to date device. Security is always a game of “I don’t have to outrun the bear, I just have to outrun you.”

I feel like short security update lifecycles are a form of planned obsolescence.

There’s some truth in this, but also recognize that every CPU model has its own specific microcode, every discrete device will have its own firmware and driver, and every mainboard will have its own specific firmware that makes all of those devices work together. Every version of every phone model ever produced has some amount of device code that is specific to that version and model. Keeping on top of updating every one of them would be a monumental task. Testing every update for every device before deploying the update would probably be functionally impossible.

All of that is a big part of why Apple controls the hardware of their devices so tightly. It allows them to standardize things and limit the amount of code they have to write, and in general Apple supports their devices with security updates much longer than other mobile device manufacturers. Their support range seems to be about 7 years.

Don’t get me wrong, I’m not personally an Apple user. I prefer the broader freedom of choice in hardware and software in the Android market, but I understand that there’s a tradeoff due to the lack of standardization. Apple’s approach has benefits - there is a degree of safety in the walled garden that is not possible outside of it.

What really needs to happen is that buyers need to demand end-of-life information and support commitments from the manufacturers. For instance, the Fairphone 5 has guaranteed security updates until 2031, eight years after the launch date. That way you can make an informed decision before you buy.