My Android phone is vulnerable, but there are no updates?

You are essentially asking what to do if you are using software which is known to be vulnerable but where no updates are available. This is a problem not restricted to Android phones but you'll find it everywhere, for example in IoT devices like routers or cameras but also with software on the PC which only get support for a limited time.

The answer should be obvious: either replace the software (or device) with one with no known vulnerabilities (and still getting updates) or reduce the risk of infection by decreasing the attack surface.

In the case of an Android phone the best option would probably be to get alternative and still supported software like LineageOS for it. If no alternative software supports your device you might need to get a new phone with still supported software and this time hopefully from a vendor known for better support.

If none of this is possible or if the costs don't match the assumed risk you could decrease the attack surface to reduce the risk of an exploit against your device. This can be done by having no network connection (neither mobile, WiFi nor Bluetooth) and removing all apps you don't really need. In case you have root on the phone you could also install some firewall on it to restrict network traffic to only a few selected apps.

Note that there is no perfect security even with supported software. How much effort and cost you invest for protection depends a lot on what you need to protect. If there are no sensitive data on the device you might accept a limited risk by using it in mobile network and maybe in a restricted WiFi network (so that it cannot be used to exploit other systems in your home network). If instead you have sensitive data on the device you should probably invest some more and get a still supported device from a vendor with fast updates.

This is a pervasive problem with nearly all Android phone vendors.

I suspect (only suspicion, I'm afraid) that they do it to boost the sales of their new models. I have tried reaching out to vendors and received responses that vary from "please wait, an update is on it's way" (no it wasn't), to "we're no longer releasing updates for that old model" (if this is the case, most often the vendor simply doesn't respond).

Your options:

• dance to their tunes, buy a new phone (repeat this every year or so)
• if your phone supports it, put a custom OS on (CyanogenMod or similar) it (but then, how long will the custom OS support updates on your old-ish phone?)

I'm afraid we (the consumers) aren't quite the winners in this game.

It's a bit late for you now (I imagine), but as an Android fan I make sure and only buy phones from manufacturers that I know provide regular security updates. In the past I've had phones that received effectively zero security updates over the lifetime of the device, and I didn't want to have to worry about that again.

To be clear the reason this happens is because android is an open source system used by the phone manufacturers, and there is absolutely nothing that forces them to update their phones in a timely basis. Many manufacturers make their own changes on top of the stock android system, which means that an update isn't even a simple matter of passing along updates from google. Instead they would have to incorporate any changes to the android system to their own builds, verify that everything still works, and then deploy the new bundles. It can be a very time consuming and expensive process (unless the manufacturer specifically plans for it before hand), and the fact of the matter is that most people don't care. So until there is a clear push from consumers for regular updates and better security, it isn't going to happen. To be clear, that level of consumer-driven demand is never going to happen.

Here is a (fairly) recent list of devices that actually get updates:

https://www.bleepingcomputer.com/news/security/google-publishes-list-of-42-phones-running-latest-android-security-updates/

Also, here's an article that gives you an idea of what the state of affairs looks like, and the fact that even google isn't very happy about it:

https://arstechnica.com/gadgets/2016/05/google-hopes-to-shame-slow-android-oems-with-update-rankings/

Keep it in mind the next time you get a new phone. In the meantime, the other answers here have some great tips for right now.