Firmware and driver patches are not any less important than generic OS patches. A high portion of critical severity patches are for drivers.
Android Open Source Project has a new release every month. These are monthly, quarterly and yearly releases. Yearly releases move forward around 3 months on the development branch. Since Android 14 QPR2, quarterly releases also do the same and just leave most new feature flags disabled. These are required for full patches.
OEM support for the device is needed because an alternate OS cannot provide firmware updates otherwise. In practice, driver updates also come from the OEM. Providing the Android Open Source Project backports is nowhere close to full security patches. It's unfortunate that most alternate operating systems mislead users about this by setting an inaccurate Android security patch level field, not being honest about what's missing and downplaying the importance of it.
@brahms @mox @manualoverride
Android Open Source Project provides backports of most but not all High/Critical severity patches to the initial yearly releases of Android 12, 13 and 14 for devices which have not updated to the latest release (currently Android 14 QPR3). The combination of these backports with baseline firmware/driver patches form the Android Security Bulletins referred to by the security patch level. This is not the full set of security patches, just absolute bare minimum.