Android is being handled the same way that other embedded devices are being handled, which is like to no updates. I thought (sorry, my mistake) that the retirement of Windows XP support and all those POS (translate that TLA whichever way suits) would have resulted in some consciousness raising about mixing between the differing treatments of desktop/server computing and embeds. The former internet connected and updated often, the latter not and not. Usually? Well, hopefully.
We've been extremely lucky that for all the juiciness of the Android target, it's been pretty much left alone. Why go embed retail when the wholesale returns of their bigger brothers is so much more lucrative. And a phone botnet? Puh-leese. (That'll change.) That the targets are so diverse in addition to being diffuse probably factors in as well. So mark this as "The Gilded Age of Innocence."
BTW, IPC has been a threat vector only since, maybe, the '80's