A vast majority of Android customers are vulnerable because of a mistake Google made years ago
Android can sometimes seem like a no-win product for Google, especially where security is concerned. The company can either assert more control over the platform and risk the alienation of its manufacturing partners, or it can leave things alone and receive criticism when security vulnerabilities aren't fixed in a timely manner -- if they're ever fixed at all.
This problem is highlighted by Google's inability to fix several security vulnerabilities in the WebView component included with versions of the platform before the release of Android 4.4 "KitKat" in October 2013. As the company's engineers told the developer of the Metasploit Project after he emailed them about the newly-discovered vulnerabilities:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.It's not that Google doesn't want to fix the vulnerability -- it's that Android was designed in such a way that it can't fix the problem itself. Manufacturers have to develop their own fixes, or decide to send Google's updates to their devices because they're responsible for the software installed on their smartphones. (Carriers also have some input.)
The only problem? Manufacturers often stop sending updates to older devices after a certain period of time because they're focused on newer products. That has hurt consumers in the past, like when Google revealed that people using older Android devices will remain vulnerable to the infamous Heartbleed bug until manufacturers release a fix.
This problem is further exacerbated by the fact that many manufacturers never update older devices to more recent versions of Android. After all, if they can't be bothered to release security updates, why go through the trouble of working on a much larger Android update? So even though Google is working on this issue, it will be years before consumers benefit.
Google is trying to do the right thing, but it made a mistake when it sacrificed control over Android for the sake of market share. Now its customers are paying the price, and because its name is attached to Android despite its lack of say over how manufacturers use the platform, it could face backlash for the perception of it not caring about consumers.