Exactly
It's trivial for GOOGLE to fix, in the current build, possibly in previous builds as well. Handset manufacturers then have to update their code, on phones they already no longer support, and then that code has to propagate through the carriers.
Internally, with CVS and other systems, code is easy to modify. However, when a 3rd party alters code your library is not directly supporting (or has moved past with newer releases of your own) integrating (or even FINDING) the necessary code changes in THEIR code to incorporate into your modified version is very difficult. Not impossible, but its complicated, time consuming, and can introduce many many new issues and an array of testing, and worse can impact dozens of handsets.
Apple uses a single OS base with minor module or API differences. A fix in a core function is easily ported across all systems. Google's base code is easily modified, but porting that modification across hundreds of unique models, each using an array of hardware, and little of it even compatible with the latest release version, is a mess. There are still dozens of handsets fully compatible with 2.1 or 2.2 that don't have it. Many will NEVER have a 2.x version. If this fix is populated only through lets say N-2 revisions and Google chooses not to patch all the way back to 1.0.
With the open code base, finding a bug is easy. That also means for hackers as well as coders that fix the bug. Apple can release a patch for all iPhones in days, or less if it was REALLY critical, and all anyone needs to do is plug in and it gets it (including a full backup). OTA code updates whack data that is not protected, restore of android apps post upgrade is a PITA, and that update might take WEEKS to get to your handset even if google has the patch today.
Also, people "generally" trust what's in the google marketplace, as it is a policed market on SOME level. That means apps there typically get installed without question, but this is very false security. Apple looks VERY deep into the program operation, including directly questioning why some APIs might be included if there's no obvious NEED 9not just a reason, but a NEED), google skims the surface. Apple can pull a app quick and then only jailbreakers could still get it, Google pulls one and its available tomorrow in another marketplace, under a new name, still with the same virus in it.
I think Android is a far more powerful platform, more flexible, i think it even looks better (though it needs some UI love and some better design). However, because Google has no direct patch authority, and because carriers are not FORCED to maintain current code bases on all released devices, and push patches within acceptable time frames, having an Android device is very dangerous. Worse, its literally PUSHED on thousands of consumers who have no business having a device as powerful as it is. There really should be an Android "lite" (or a hidden PRO mode that has to be activated and comes with warnings).
Hackers KNOW planting a virus on Android can take weeks to eradicate, and on some devices will never be removed. Multiple viruses have already gotten through googles defenses, and the frequency is increasing quickly. Apple is not only harder to get past (deep code inspection), and quicker to patch (no middle men to worry about), but they're also half the market segment now too. Also, putting an app in apple's store means VALIDATED background checks and easy trails for cops to follow, not so much in Android marketplaces... putting viruses on iOS is dangerous for the hacker, and a much more limited and difficult target. Its not security through obscurity, it's security through trouble and risk and very real protections, and rapid response. Its not worth hackers trouble with such a rich and easy to exploit target as an alternative.
If ALL device mfrs were required to guarantee continued update support, within 1 week of a google patch release, for all devices sold for +2 years from last date of sale, and forced carriers and device makers to port all "compatible" features of new OS releases (as Apple does, 4.2 runs on everything except gen 1 which is now more than 3 years old, just not all the bells and whistles of it) within 30 days of Google release, then we'd have a platform with better security, and less fragmentation.
Still, even if they got all the manufacturers in line, modularized the entire thing for 3.0 (breaking all existing apps), all they'd do is drive up the cost, and limit the model availability.
My real reason for not diving in though, Sun.... I have a sneaking suspicion we'll be seeing a cease and desist order from a court here, possibly within the year, ordering all code development on Android to stop short of removing every line of Sun's code, and a 1-2 year set back in android development, and a multi-billion dollar fine, and removal of many core features or functions. Android is very much in violation of very strong patents, it's not a minor sleight, and its clear and obvious, entire sections of code copied and pasted.... It could very well be pulled from the market entirely. I can't take that risk.