It's not like you can't make an OS secure and keep it so, while allowing it to run on multiple platforms. Just learn from the errors of Microsoft. The problem is clearly elsewhere.
Android update availability is clearly only for marketing purposes. Think of it, new vulnerabilities help people decide to buy a new phone/tablet/whatever, and that's good for those who sell Android gadgets.
Phones are meant to be consumables, to use & throw away, any effort to make them last more than 6 months is wasted money. Glued batteries, quick & dirty software, everything points to the fact that you're supposed to bin it as soon as the next version hits the stores. Any fixes will be implemented in the new version, but obviously not back ported to what is now supposed to be landfill. That would be counter-productive (to put it mildly): People don't change their gadgets often enough, so phone makers need all incentives (legally available) to make people buy an new phone every year.