All the remotely exploitable ones are real world threats once the source code fixes are out there so every black hat in the world can weaponize an exploit.
Whether they remain threats only, or become actively exploited problems depends on whether someone has a strategy to profit somehow from exploiting a lot of Android phones, or wants to risk having Interpol come after him for just making a hack to be a bastard. Since the fixes will never arrive on 90% of the Android phones in use at this moment, they have plenty of time to come up with a profit scenario.
Delivery is actually the easiest part of all this. People hack major websites all the time, compromise ad networks, and so forth. No need for complicated scenarios to trick people into downloading apps from a third party store if you can merely embed a "specifically crafted video file" on cnn.com, doubleclick.net, or other location that millions will hit each day.
Sticking your head in the sand and saying that because there hasn't been a mass Android exploit yet it isn't worth worrying about is not a solution. A lot of Microsoft employees and Windows fanboys thought Microsoft had licked the malware problem with Windows XP, which finally abandoned the old DOS based Windows and went to the "secure" NT kernel. When you had Code Red, I.Love.You and others back to back, spreading at internet speed now that everyone was connected, they were forced to rethink that and Microsoft finally had to start taking security seriously. I'm sure Google already realizes this, but the OEMs won't until they have a similar come to Jesus moment.