Whose responsibility?
Glad to see the question being asked, but unfortunately the fact it's being asked is only a sign that Android has overlaid itself on a very old model: that of mobile phone manufacturer / network operator.
The old "big" manufacturers are all but dead now, especially on their own platforms - Nokia, SonyEricsson, Motorola - and android looked like a magic bullet to them, but they didn't alter their model one bit, and they didn't consider security from the outset.
Why on earth is it possible to install *anything* on an android device? I know it's a setting (I've got an android tablet somewhere) but it simply shouldn't be there! It assumes a level of tech-savvy on the part of the average user: what's the point of creating a fantastically rich user experience if you then assume the user understand the concept of malware and knows how to protect themselves? People still die of STDs for god's sake!
This is google's responsibility, but the manufacturers have been just as lax, and the overall ecosystem allows everybody to point the finger at everybody else (as used to happen with network operators and manufacturers before). Add in operator approvals for android versions and bundled crapware, and now the spectre of robbed battery life and CPU cycles for more intrusive TSR antivirus (have you _seen_ what McAfee will do to a dual-core 3.0GHz machine? It's *pathetic*) and frankly Android is a huge pile of sh*t waiting to happen.
The whole windows experience is being replayed, in the mobile arena, and we're all running headlong towards it giving £20 notes to antivirus producers who've just seen that their business model has a whole new arena.
And yes, I run an iPhone. It's jailbroken... and I have made the necessary changes to secure it. When iOS 5 comes along, the features I need will be in, and I'll un-break it.
Android is a platform for the tech savvy. Good for them, but it won't keep the manufacturers afloat with those numbers.