I've always been curious about this one - what kind of exploits are you concerned about that could wind up with those sorts of consequences? Most of the security updates tend to patch things which are local only or barely exploitable in the first place. Assuming you're not installing entirely untrustworthy software on daily basis, it's probably not much of a difference. Looking at the latest Android security report, even the "Critical" vulnerability reported is a code injection in data that's usually only available to the app that wrote it in the first place.

Important applications like the browser, webview, media players, etc are patched via Play Store regularly so untrusted data is usually processed through those pipelines regardless. Perhaps hardware decode on untrusted content could still provide a vector there, but judging by the practice it's not exactly a large one.

There haven't exactly been worm-grade exploits flying around in the mobile space, even big public things like StageFright pretty much turned out to be non-starters and the targeted attacks are so far ahead that I wouldn't even worry about public exploits - the private ones have you covered already even on the latest OS.

Maybe I'm the minority here, but I wouldn't exactly rush out and blow $1000 over anything short of an unpatched and readily exploitable RCE.