The issue as I understand it is that's impossible, because there's no motivated stakeholder who can perform regression testing to validate the critical update channel. And the device builds have deviated far enough from vanilla Android+kernel that they require their own.

Tbh, Google needs to work with the Linux groups pushing for more coherent ARM/device flexibility frameworks, then ban carrier and device manufacturer build modification below a certain level of abstraction. Otherwise they revoke Android branding + access to GApps.

Then they would at least have a base for eventually saying,

"We're going to enable a critical update channel where users take updates directly from Google. We will release these updates to you with a lead time in proportion to the severity. Unless the user has explicitly opted out, they will automatically receive the update after that period. If it breaks your phone, then users are going to stop trusting you as a manufacturer / carrier."

I've been saying this for years. Google needs to provide security updates to all versions of Android which don't change APIs or functionality. Just drop-in replacements to fix exploits. These need to be offered for a period measured in years to every version of Android they release.

Microsoft still releases regular security fixes for Windows Vista!