wjl [...] I'm a bit reluctant to send perfectly working hardware to the landfill [...]
It's a very real issue. But these days so much of the device is software, including firmware, that the device can't be "perfectly working" if the software is vulnerable to remote exploit.
To their credit, Google is trying to move the needle with longer support for their newer hardware. Interestingly, moving more parts of the device in-house is part of that - similar to Apple. Part of the problem with buying parts from a bevy of suppliers is that software for the device as a whole ends up at the mercy of all of those parties. Over time the landscape may improve. One thing that could help would be for a phone manufacturer targeting longevity (such as Fairphone) to sit down with the GrapheneOS team to get some solid security advice, and make changes accordingly.
As a practical matter, once a device falls out of GrapheneOS support if you have low-security uses for it you might look at some other platforms such as DivestOS.