Debian Stable typically gets ~3 years of official security updates, but then in reality the LTS project is excellent and probably gives you two more years, and now there's also the ELTS project that might give you two more beyond that.

Which major commercial OS has a realistic expectation today of getting security updates for so long without being forced to change other parts of your system that you like as they are? Windows did, if you go back to the days when Microsoft published product lifecycle information many years into the future, before 10 deliberately broke that whole model and the stability that came with it.

MacOS averages 3-4 years too. My point was just that if you want a user experience that never changes and only gets security updates, Linux isn’t the answer either (as the great-grandparent comment implied). At most, if you luckily sync up with an LTS version, you get a couple more years.