The bad news
Now for the bad news. When exactly these fixes will filter down to actual Android users is not clear
What's unclear? Many, maybe most, of the vulnerable devices won't be fixed -- ever.
Let me add that if the number of major flaws potentially affecting security is -- at it appears to be -- very large (I'm thinking maybe 10**8 or so potential CVEs ... and growing daily), patching our way to security is simply unworkable. It won't/can't happen.
Likewise, expecting manufacturers to always deliver secure code and hardware is expecting the impossible. Probably they could do better, but it's far from clear they can do well enough -- even if they actually try -- to make much difference.
What's the answer?
My personal (inadequate) answer is to not own a smart phone, not use on-line banking, avoid PayPal and other digital dens of thieves as much as possible, and to back up my PC every other day. But I'm still exposed to security blunders by merchants, conventional banks, credit card companies, utilities, etc,etc,etc that have a real need for data about me.
Collectively, I think the answer might be something along the line of rethinking this "everything should be connected" idea. Maybe much less should be connected and what is connected ought to be subject to some rules based on a serious concern for security and user safety. I'm not sure that's enough, but it might be a start.