I remember hearing that a large part of this is that Qualcomm doesn't provide security updates for more than this long so they can't really promise anything more since they may be unable to fix CPU-level flaws.
That being said it would be nice if they could provide support until a CPU-level vulnerability is found. (Or is there a decent chance that they wouldn't be informed?)
On the upside I believe that the Pixel 5 has a Google-"made" SoC so that excuse is gone now. I would love to see a nice long promise of updates. The amount of eWaste generated by a phone every 2 years is awful.
Qualcomm supplies the entire SoC and this includes drivers and firmware for way more than just the CPU. You can get Lineage OS onto Pixel phones outside of Google's support, but that only includes the OS layer and not the driver/firmware/baseband layer.
I don't think Google can change anything about this really. Qualcomm is the only non vertically integrated vendor of SoCs with the wanted features and quality Google needs (apple is vertically integrated). They don't have any buying power towards Qualcomm. In the hardware business, they are a niche provider. 2% market share in North America, world wide even less.
Google said they want to support the phones for 5 years, definitely an improvement. Note that it's not a sole Google product but a collaboration with Samsung, so will likely build on their Exynos IP.
3 years from the date of release is horrible. My iPhone 6S is coming up on 6 years of OS updates and will get at least 1 more with iOS 15.