Android - If I buy an Android phone today and want security updates for as long as possible, how should I choose a phone? I'm willing to use custom ROMs.
The Dutch consumer organization retests their smartphones periodically for updates: https://www.consumentenbond.nl/acties/updaten/ruim-een-derde-smartphones-heeft-sterk-verouderde-veiligheidsupdate
The list is basically: the Google Nexus/Pixel phones (~3 years), Nokia / HMD Global, last (& this..) year's flagship Samsung (~1.5 years), this years flagship Sony Xperia.
(These phones had the February 2018 update begin March)
In the mean time iDevices are updated for up to 5 years (4 years + security updates until next iOS). This makes them cheaper year-over-year over the lifetime of the phone. Please see the "Depreciation" and "Sources" worksheets in this Google Sheets workbook.
Modular may offer official long-term support
Not quite ready today are modular phones, like that for Project Ara. Be aware that the schedule for modular phones has already slipped by years, so I would still treat the dates as questionable. Due to their modular nature, the expectation is that they will continue to be supported for a long time.
Update: Project Ara was nixed not long after I wrote this answer. VentureBeat has a story on Project Ara and the difficulties with modular phones.
Unofficial support
Without official support, you are basically trying to predict the future about what phones will have a sufficiently enthusiastic user base to support the phones. There are no simple hardware or price based criteria you can use to do this.
If you want something today, I would recommend a Nexus device. The guaranteed updates aside, these seem to have enough of a following in the community that there are custom ROMs available years after the official support has ended. Don't expect updates to be released in a timely manner, however, because people are basically supplying this out of their volunteer time. I have a Galaxy Nexus (maguro), for example, which was released in 2011. The latest maguro Cyanogenmod releases are:
- cm-13.0-20160820
- cm-13.0-20160816
- cm-12.1-20160719
- cm-11-20150626
I was surprised to see an update to the 12.x line last month because it had been so long since the last update. I ended up reverting to the 20150626 build for development purposes because video on 12.x had problems, so also be aware that the custom ROMs can't work magic with less capable hardware.
Having unusual hardware has not dissuaded motivated volunteers from continuing to support the Galaxy Nexus, which has an unusual Texas Instruments processor. There were rumors that Google dropped support relatively early because of this.
Short of maintaining the device yourself or paying someone to maintain it for you, you have to guess.
Other answers mention that aftermarket distributions can provide you with security updates. This is only true to some degree. They usually integrate low level-code (proprietary blobs) from the manufacturer and those parts don't get updates after support from the manufacturer ends.
The same is true for firmware bugs of hardware components. (e.g. Broadpwn)
postmarketOS tries to solve those problems with a GNU/Linux distribution for phones and open source firmware.