Put it on a private VLAN (eg guest Network that can't be reached from main network), pull the Sim card, uninstall all non-essential software, turn off all non-essential services.
Although I prefer "Internet of un-updated linux boxes". (A thing to which I'm ashamedly a party to. I was in a startup ~5 years back where I was responsible for the backend that provided the software and OS updates (a customised ARCH Repo and pacman config) for our hardware. The startup went under, having shipped the first production run. I kept the Arch repo up on my own dime for as long as I could, but eventually the control over the ___domain dried up and the subdomains it relied on no longer existed... There weren't many of our devices still connecting to them that last time the log files showed connections, but I'm looking at two of them right now which I've been occasionally doing security updates to by hand. I feel bad each time I do it, knowing there's customers out there who bought our stuff who are no longer getting any updates...)
That's going to be hard to deal with, principally because I'm sure many of the control apps only search for devices on your local subnet and don't allow manual specification of IP. If they do allow manual specification of IP, then you could probably do what the other person who replied to your question suggested: multihome a router, establish a hardened second network, and leverage port forwarding. If they don't, then you need to put them on a separate network and put a controller on that second network too (eg an old phone, tablet, smart speaker).
Alternatively, you could set up a bridge by hardwiring the device to a raspberry pi and then use the pi's WiFi to connect to your existing network. You then set up traffic forwarding across the NICs, man in the middle all the traffic, and only allow certain traffic in and out. This avoids the need to create a new network.
A small router device put in between might help, say a repurposed (OpenWRT?) WiFi access point, or a small Microtik or similar devices. By having forcing all IoT devices on a second private WiFi network would allow to set rules so that for example they can be reached by devices on the home network but are prevented to connect anywhere else on the outside.
No security updates means potential for exploits, not definitely exploited. If you don't open yourself up to exploits by using the browser or untrusted apps, you're pretty unlikely to be compromised even with an older phone.
If this concept gets popular enough eventually the majority of users will start using the same old model Android phone(Nexus 5, etc.). That's when all of the unpatched vulnerabilities will become a serious problem that's difficult to fix.
It's not difficult to fix. It's just that corporations want you to throw out and buy a new phone every year. This is what happens when you let the same company make the software and the hardware.
> This is what happens when you let the same company make the software and the hardware.
Not sure that follows, it seems a quite Android-centric view? (Which I guess is valid in the context of this discussion...)
Apple do a remarkably good job (in my opinion) of providing software/security updates to older iOS devices. iPhones as old as an SE or 6S are still getting current versions of iOS.
I have a _much_ harder time keeping similar aged Android devices up to date (My Galaxy S6Edge has been stuck on Android 7 forever. I'd need to root it and install a 3rd party ROM to upgrade it. I haven't done that because I use it still as a mobile app test device, and I don't personally "trust" not stock OS installations to be particularly valid test devices for work apps...)
