This is actually a difficult question to answer with any confidence.
However, it’s also a question that more often than not answers itself eventually.
Become a Patron of Ask Leo! and go ad-free!
Risks low for most
On one hand, I believe the risk is low in general. While both iPhone- and Android-based mobile phones are targets, and more current operating system versions are more secure, my belief is for most people it’s not really as big a deal as one might think.
It’s the “most people” part that makes this hard to answer.
Most people’s use of their devices is relatively stagnant. By that I mean they use a few apps consistently, but don’t stray far from what they’ve been doing for as long as they’ve had the phone. They’re not downloading random apps that could pose a risk. The sites and services they use are well known and well established.
If that’s the case for you, there may not really be a huge benefit to an upgrade, other than getting a newer and faster phone .
If you’re not “most people”
If you’re a power user — if you regularly try out new things on your device, have dozens or hundreds of apps installed, and surf the internet with reckless abandon — then making sure you’ve got the most recent security updates makes more sense.
And at some point, that probably means getting a newer phone that has the newer operating system with all the newer bells and whistles, including security updates.
If you’re not a power user but don’t have a good sense of what it means to use the internet and connected services safely, then taking extra steps to stay safe make sense.
Honestly, this is similar to the answer I give to someone staying with Windows 7 or even Windows XP on their PC. It’s on you. If your habits and usage fall into the “generally safe” category, you’re probably fine saving your money and continuing to use the device you have.
I believe most people fall into this category, particularly when it comes to mobile devices. They use their phones for what they use their phones for, and tend not to experiment or add much to their mix. For these folks, an upgrade probably isn’t required.
In your case, adding a security suite of some sort is an added argument in favor of staying where you are.
The problem solves itself
Ultimately, I think this problem solves itself eventually.
The number of people who are able to keep a phone working past that three-year (or however many year) window of support are probably few. Be it phones that get dropped, batteries that wear out, or phones that ultimately don’t have the power to keep up with the latest versions of the tools people use, I suspect a lot of people end up upgrading for a variety of reasons not related to security.
In your shoes, I’d probably keep on keeping on until something else causes me to need to upgrade.