If Apple delivers a defective device to the customer, I see no reason why they shouldn't be fixing it using the money the customer originally paid. A security vulnerability may eventually leave a device completely unusable.

The point is that with browsers there's also the option of using an entire different one, not just keeping an older version of the same browser.

There are a couple of problems with this argument. One is that with a device (especially a premium one) the cost of support for a reasonable lifetime is considered baked into the price. The other is that security updates imply a security issue, meaning the company sold you an insecure, i.e. defective device in the first place.

Apple seems to have made the economics work out well with devices alone.

You don’t even have to touch their services revenue to consider ongoing iOS development a significantly successful return on their investment.