As an example, the original OnePlus One has good LineageOS support, but the vendor security patches were seemingly discontinued three years ago:
What are the security implications and is the vendor dropping support enough of a reason to buy a new phone?
There are two exploits that I've found at https://www.cvedetails.com/vulnerability-list/vendor_id-16630/product_id-38593/Lineageos-Lineageos.html but there may be more 0-days that are unreported. The device seems to still get Android security updates, which is important as that will be controlling more areas and offer a larger attack surface.
Without knowing your exact situation and the usage of the phone it's hard to say whether it's worth it. If you are potentially a target or use the phone to hold sensitive data then I would recommend getting a more suitable device, or at least rooting and installing a system that is fully updated.
“Android Security Patches” deal with the OS and Android services. “Vendor Patches” deal with everything else. That can be patches to physical hardware vulnerabilities, or security patches for the drivers of device hardware.
If it is still unclear, let me describe it in terms of a Windows computer. The “Android Security Patches” can be represented as the Windows Security Patches. The "Vendor Security Patches" can represent the Driver Security Updates that come from the components or computer vendor.
If Android needs to use a driver or vendor related code, it may open a vulnerable in your situation. It will not be Android itself that causes the exploit of a vulnerability, but something running on Android would abuse the hardware. It might also be an exploit manifested in the hardware that may attack Android. On the other hand, anything that is in the control of Android is safe (considering the date you posted the question and the screenshot).
How bad the vendor/hardware vulnerability is will depend on the number of exploits and vulnerabilities that have been discovered for your specific device model. You can try to look up on Google "device model or name CVE". You may get CVEs (Common Vulnerabilities and Exploits) that relate to your device in the search results.
If you see too many CVEs that apply to your device model and/or device manufacturer (not specifically other devices), then it is time to buy a new phone. If you are plain scared and want to play it safe, then just buy a new phone.
Though I don't know your security requirements and willingness to pay for security, the answer is probably yes. In the last 3 years multiple sandbox escape, remote code execution and privilege escalation vulnerabilities have been disclosed for Android. It is not unlikely that an attacker could fully take over your smartphone by:
