Re: Patching speed is probably the issue
The risks of Android are routinely overblown – not to say that they don't exist – but the attack vectors are usually outside normal use patterns. This doesn't, however, excuse manufacturers from improving their woeful update practices.
What you suggest simply isn't possible at the moment because the kernel on each phone is owned by the manufacturer and any kind of OTA is going to rely on their keys, or you open the door to drive-by hacks of the kernel.
The only way things will change is if cases, such as the one currently winding its way through the Dutch courts, decide that manufacturers are at fault and impose sanctions / requirements. I'm not holding my breath on that one as the software industry has a dreadful record of providing security updates.