Android isn't in the list. I went back to the original article and found its entry:
6 total vulnerabilities 4 high severity 1 medium severity 1 low severity
This is really interesting. Why? Because the state of actual security of Android in the wild is atrocious. And yet in terms of vulnerabilities the OS itself is pretty low. Why the contradiction? Most people probably are already answering: OEMs. Regardless of whether it should be the OEMs stepping up or Google having set up a different model in the first place, the unpatched and out of date Android systems out in the world are innumerable. Vulnerability stats aren't the only key part of security - update model is a critical part so any discussion about relative security of different platforms needs to include this.
If Google genuinely thought that their 90 day policy improved security then where they should direct it, is against their own OEMs. Either Google is responsible for Android security or it is not. And if it is not (as is frequently stated by those who argue against critics of Android security), then Google should be treating the OEMs that same as it treats other companies such as Apple and Microsoft. Android is currently where Microsoft was in the XP era - fragmented updates across a userbase that is largely security-ignorant. And like Android, MS wasn't selling it directly in many of these cases, but leaving responsibility with the OEMs.
MS eventually realized two things: One, whether it was the OEMs fault or not, it was harming them. Two, educating users on security wasn't working. So they took back control and they started putting in their own security tools even though that upset their business partners who sold anti-virus software of their own. Google needs to look at doing the same thing even if it's painful or upsets their OEMs.