As far as I know, google doesn't have an official policy on how long they provide security updates, but it has pretty consistently been 3 years after release.
The only reason old versions are still in use is that most vendors release a phone, give it the bare minimum number of updates, then abandon it when next years shiny new model comes out.
iPhones are still better when it comes to updates, but things have been slowly improving. A new Samsung flagship get's you 5 years of support (4 major upgrades + 1 of security updates). A Google Pixel it's also 5 years, but 3 major updates + 2 of security updates. Not as good, but not terrible either.
It's still a problem for old phones, but at least from now on it should be better.
We should also keep in mind that when we talk about iOS/iPhones, we're talking about one company. When we talk about Android updates, there's Samsung (now good), but also Xiaomi and OnePlus (meh), and brands that release phones with already outdated software (really bad). [edit: not to mention different price ranges.] If we're looking at $/€/£500+ iPhones, maybe we should compare them to a $/€/£500+ Samsung Galaxy or Google Pixel?
And iPhones from 2015 are still getting security patches.
The iPhone from 2015 running an old iOS version is not secure. Apple will release an update to WebKit or something like that to fix something being exploited, but most bugs are not fixed. The equivalent on Android would be receiving an update to WebView via the Play Store, which the user wouldn't even notice. And this is even more true on newer Android versions that have critical system modules and features backported via Play Store updates
Apple is better than most Android brands at updating their phones and tablets, but don't make the mistake to assume you're safe using an old iOS version that was recently updated.
They do the same thing on Macs by the way. A machine gets ~7 years of support and they release a security update to old macOS versions from time to time... they get the headlines, people think they're using a secure OS, but even Apple admits that most security fixes are not backported.