I want to vote you both up and down.
What you said about the Window ecosystem is correct.
Anything you install in Windows can access anything in your account or anywhere in the system if installed as Administrator.
The same is not true of Android, there is that whole "permissions" framework which the developer has to ask for.
However.. most users don't even glance at those when they go to install an app and the developers, even the mainstream ones, ask for completely ridiculous capabilities.
Recently Google itself updated the Maps application and it wants a new ability to connect and disconnect from Wi-Fi.. As this app seems to already have nearly every permission on the phone already I'm very leery.
..And seeing Google just removed the accidentally leaked App Ops which could potentially mitigate against such madness I'm feeling quite frustrated.
Other than Google provided services, I don't have a single social network application on my Android phone as they want ridiculous capabilities.
"Manage the accounts on this device", I don't think so!
DESPITE this, the situation between Android and Windows security models is not at all similar.