Needed, but not easy.
Well, SOMETHING needs to happen on the Android front, not just from a new features perspective (Which makes sense for Google to be keen on pushing), but from a security perspective too: There are so many manufacturer abandoned handsets out there, we've probably reached the tipping point where Android has lost it's "Heard Immunity" from having a high enough proportion of handsets up to date and secure, that the whole ecosystem benefits, even the phones that aren't up to date.
But if this is Google's end game, I can't see a quick and easy way of getting there: Yes, the carriers and manufactures have a vested interest in making handsets legacy as soon as the next year's model is out, but another big problem with getting updates out is the chipset makers not testing and releasing drivers that work with Android next. Google has the clout to make them, but that doesn't help the clusterfuck of Firmware and low level device issues.
Only reasonable way I can see this being fixed is for Google to Hypervisor and Abstract their way out of it: I can see Android Peppermint or Quesito ending up with a small bare metal host system that virtualises all the hardware and is the manufactures responsibility, with everything above that level in the guest system updatable by Google.
Heck, throw in a Microsoft OOBE style system so carriers can push their (needless) customisations onto people, and they may be able to fix the security mess without an open revolt from their hardware partners.