It all boils down to how much risk you feel you're exposing yourself to and how much risk you're willing to tolerate. I keep trying to find excuses to keep my Galaxy S5, despite the broken micro USB jack (I charge the batteries outside the phone), the broken headphone jack (who needs 'em), and the outdated Android Marshmallow OS. This might be the year I finally get something up-to-date, but I don't want to part with something that works just fine for now.
I had to comment, I am doing the same with my S5 and mine does not consistently charge via USB anymore! I seriously think sometimes it was the last good smartphone with a replaceable battery.
I think in general, be smart about what you do on your devices and how they are configured can have big benefits, and matters at least as much as having an up-to-date device. For example, most Windows security vulnerabilities the past 5+ years, require someone running as a full-administrator, or visiting a "specially crafted" website.
-- some basics:
1) Don't go to unfamiliar websites, use an adblocker.
2) Change default passwords on all devices
3) Do not use dictionary passwords
4) Configure 2-factor auth for accounts you care about, like banking, email, anywhere you store your CC number, etc.
5) Avoid phishing
6) Try to avoid reusing passwords
7) If you learn of a major hack of one of your accounts, make sure to change any other accounts using the same password!
8) If something does not need internet access, don't connect it!
I do not have a number, but I would bet these type of behavioral changes matter as much or more than having the latest security updates.
Whenever possible, update/replace devices that cannot get updates anymore or remove internet access from them. It helps if you follow the "mustachian" lifestyle and do not have a lot of devices to begin with... who needs a wifi lightbulb?