Apple had the right strategy
The simple fact of the matter is that OEMs make Android insecure. So long as they don't see it in their best interest to get Android patches out in a timely manner to any of their devices that are actually capable of running it, they will leave huge swathes of the Android using public vulnerable to known CVEs. They've got to go. Apple's iron grip on its devices means that devices as old as the iPhone 4S still get updated until recently.
The other big problem for Android security is dodgy apps getting into the Android Play store, or incompetently written ones that overrequest security permissions which some other malicious software can then subsequently exploit. Expect a crackdown in Google Play soon.
Apple basically had the right strategy from the get go when it comes to devices such as phones and tablets, and Google have come to the conclusion that their strategy needs to be more like Apple's.