Is it that high? Not even joking. I was always under the impression that it was much lower, and that many of those that are still receiving updates won't update (old habits from when updating android could brick your device).
That is a difficult topic. Google did take steps to mitigate issues there. Android got Hardware Abstraction Layer to prevent blobs from blocking updates ; also, a lot of updates were moved from AOSP to the Play Service, so Google can more easily roll them out. (And to make AOSP and 3rd party roms less of a threat, eh.)
Edit : that said, most android phones have woefully short support period.
It is a difficult topic, but one worth discussing I think. Cellphone security used to be an afterthought, at best. Google (and some rom maintainers) have done an amazing job at improving overall security. They have a long way still to go (such as forcing manufacturers to a certain level support), but what they've done thus far is commendable.