Google is responsible
@ratfox, agree that Google at one point had to make concessions in order to get Android adopted. That time has passed. I would think if it chose to, Google could fix this in the next MAJOR release: Encapsulate the code that hardware vendors and mobile carriers have access to. Then Google can patch the core OS via the Play store, and vendors can continue doing OTA patches for just their subsystems as they need to. This would be a huge effort, and a headache for vendors initially.
OTOH, not having a proper way to promptly patch security flaws is evil.