Many of them NEVER received a single update ever. There are so many shady companies producing TV boxes with no plan to ever provide any updates.
Unless one of the larger brands make such a device, I don't see any reason to recommend anything but the ChromeCast or whatever Google calls it now. Or a Roku or an AppleTV, if you swing that way.
Quite a few of them actually end up configured to preference SD boot over internal flash and/or have easily accessible buttons or shortable pads to trigger bootrom recovery modes.
Which at least, stops them being automatically consigned to e-waste.
Although, customising a LibreELEC image for the dozens of different models of TV box isn't great. Typically involves sorting out the dts for the device and remapping the remote.
While Go and Rust aren't necessarily magic pixie-dust that can account for all types of security vulnerabilities, if I'm going to be faced with the possibility of some project being abandoned at some point for the next new shiny thing that everyone would rather work on, I'd at least like to give it a fighting chance of remaining secure for some time after abandonment without any updates. Ideally it would be a Rust userspace media management package running on Debian Stable getting unattended upgrades every night.
Since nothing like that exists I've recently decided to give CoreELEC/Kodi a try on an ODROID-N2+, albeit disconnected from any network. I was surprised at how seamless and integrated everything was.
The remote control for my television "just worked" with it out of the box thanks to HDMI CEC support. Arrow buttons, play/pause, back, etc. all did just what I expected them to do. It's a marked improvement from the last time I built a custom media box, which I had running MythTV on Gentoo, when I needed to jump through hoops to set up an IR blaster. And you can't argue with a 12v/2a power supply.
For now I'm keeping it off my home network and am "sneaker-netting" content on a USB drive between my trusted devices and the ODROID. When I get tired of doing that I might add some firewall rules to my router to only allow it to talk to a locked-down VM doing nothing but hosting a read-only file share. But some day I hope to look forward to building a similar form-factor box that has all the media gadgets and gizmos with a Rust userspace that respects my privacy and auto-updated Debian Stable so I can actually connect it to the Internet.
Auto updates also have a reputation for harming the user at least as often as helping (removing features, adding ads, whatever) and so trust in that is declining while the need for decent security (smart cars/homes) is increasing. Not sure what to conclude from this except that we need more focus on secure-by-design systems and maybe immutability guarantees rather than autoupdates, app stores, and plugin/extension frameworks but these things are sometimes impractical fundamentally and sometimes just inconvenient for surveillance capitalism.
This was apparently found due to seeing some changed files, so they didn’t ship with void, but it wouldn’t have been hard to push it out to pre-comprised boxes.
Ah the new economical divide.
Most "real people" also have phones which aren't receiving updates for a few years by now.
In south america the median android version is 8.
And phones are not optional as most countries already jumped into both digital government and money transfer.