OEMs largely only have themselves to blame
If they contributed more actively to things that use AOSP then not only would they be able to release security fixes (the most important part) and OS updates much more frequently, but they would have less work doing so.
LineageOS (the successor to CyanogenMod) already has an impressive list of devices and, minor problems aside (do make sure you backup before trying it, is working well. Smoother than CM13.1 on my Samsung S5 and battery life seems better – could be down to Doze. Notifications on CM 14.1 were definitely more of a problem.
IMO Google will only be in trouble if they stop providing timely updates to AOSP. But this would also give OEMs more power and also drive people away from the services they're hoping to make money on.