It depends on the manufacturer. Some do in rare mass exploitation events; Enterprise gear like Cisco, Fortinet, Ubiquiti, and Mikrotik offer great long-term support for bugs/exploits, ASUS is pretty good on the consumer side with long term support then Netgear is behind them and last is TP-Link, and most of ISP supplied routers are rubbish but most companies don't and just stop providing updates full stop when a router is EOL. When a product is EOL it's best to move on since security updates are usually no longer provided and your probably behind 5 years on current technology anyway.
The slightest unsure if a router is not getting any updates or risk of turned into EOL ( end of life ), simply reach out to either the vendor or the ISP. With the exact model and version number their official customer support should be able to answer.
If you are using routers that can be flashed custom os like ddwrt/openwrt you can flash such custom OS and continue using the router without worrying about security issues. If you are buying a consumer router make sure that it is supported by openwrt or ddwrt so that you can use the same for a longer period.
Do ISP routers/modems like from AT&T have firmware that come from them (AT&T) get security updates forever because it is not a product you can really buy officially and own?