Fairphone has astonishingly bad upgrades and patches policy. Very late, very delayed, not all of them.
Sure, better than, say, Sony (and as an ex-Sony user I kind of know what I'm talking about), but far from calling it good.
Every vendor waits a month before sending out security patches, including Google. I've never understood this (with Linux desktops as my context) but so if you have a risk profile where the OS needs more frequent updates but still want to use Android, you need to take extra hardening steps such as limiting what you expose the OS to (from the outside (firewall, turn off unnecessary connections like Bluetooth) and inside (potentially malicious apps))
I buy Samsung for the S-Pen. The moment a viable alternative comes along, I'll be the first to try it.
Their stock android is fine. If you want more privacy, installing e/OS/ is trivial. It blows my mind that anyone is concluding Samsung stuff is worth buying under any circumstances.