Not at all worried.
"and can spy on you and mess with applications without you realizing what's going on."
That's just Googles binary blob isn't it?
Google has emitted its latest monthly batch of Android security fixes, addressing a total of 70 CVE-listed vulnerabilities. The March update includes 17 patches for flaws described as critical remote code execution holes, though only one is actually documented due to the other 16 residing in closed-source Qualcomm components …
Yes, the Android ecosystem patch mechanism is well and truly broken, and this is at least as much Google's fault as anyone else's. AOSP aside, Google is forcing various conditions on Android device vendors to include Google crap; they could certainly force them to do a better job of distributing updates.
Though having said that, getting patches isn't all roses either. I finally have a phone that receives regular updates, and each one either breaks existing functionality (fortunately, generally something I don't care about, though a recent one removed the global disable-sync option) or adds some new horrible annoyance.
After I installed the one before this latest, the phone started pestering me periodically to enable VoLTE, despite the fact that 1) I don't fucking want it, and 2) it can't be enabled anyway, because I'm in a microcell that doesn't support it. A bit of online research turned up hundreds of complaints about this behavior over the past few years. This sort of thing makes me want to find the person who made the decision to add this irritant and commit a few acts of violence.
This sort of thing is one reason I refuse to buy new phones; the manufacturers haven't earned that kind of money from me.
"Other Android owners will have to rely on their device vendor or carrier to test and release the fixes, a process that can take days or months or never."
Or, install custom firmware that includes the fixes. Not always the easiest option, but it'll do the trick. Everyone seems to forget you can do this.
The lack of updates (mostly due to planned obsolescense by makers) to billions of Android phones made the BBC Radio news this morning.
Then you have Samsung saying that their latest phones will only get two versions worth of updates really leaves me with a lot of confidence in the androis platform (NOT)
https://9to5google.com/2020/03/03/samsung-galaxy-s20-android-updates/
Talk about throwing good money down the toilet. sigh.
Two Android versions worth of upgrades isn't bad, at least in part because the mandatory hardware requirements are upped for each version. Presumably large manufacturers are given information about this by Google when they design phones, but I doubt even Google knows what the requirements will be three versions ahead because by then there might be some game-changing new doohickey that will be a must-have for all phones.
You could always explore the Android One route.
The incredibly bad security update policies of my previous Huawei and Samsung mobes finally convinced me to look around for more secure alternatives. I stumbled upon Googles Android One program and went with a Xiaomi Mi A2 Lite. Bought the phone last summer which according to its build number was produced in 2018. I have been receiving regular/quasi monthly security updates ever since - with the occasional slight delay.
My current Security Patch Status is dated 01.01.2020 - thats a far cry from what i was used to with Huawei and still miles away from my Samsung.
Are you sure of that? I've also got an S6, latest update I received was in June 2018. Latest available firmware on Sam Mobile is from Sep 2018. The model is not even listed in the Security updates schedule page.
It's a corporate mobile on Vodafone UK, so I can't unlock or root it to install the latest firmware.
Google should use their vast influence to tell manufactures they need to offer security updates for 3 years on all Google certified devices they sell with Gapps installed, you could argue this might make the device makers consider other OS but we have already seen how Huawei is struggling to shift its not Gapps Android devices outside of China, so i doubt they would be willing to move off Android onto other OS to save a bit of money on not having to supply security updates.
The CVE-2020-0069 elevation-of-privilege hole can be exploited by a rogue installed app to inject a rootkit into the firmware of device, which could be a Amazon Fire tablet or gear from Motorola, Sony, Xiaomi, and others.
Checks recentish Android phone (Moto G6 Plus): the last update was January 2020...
I realise that is better than many rival phones.