@Ledswinger - prevalence of actively exploited ... on Android v Windows
People - including/especially bad guys - go where the money is. At first malware was just to mess with people, the only thing the author got out of it was notoriety. Malware 2.0 came when building armies of bots for spamming became something you could make money with, so malware become monetized. As botnet armies are becoming less profitable for spamming we're starting malware 3.0 now - monetizing via ransomware.
Phones were never useful for spam botnets, so they were irrelevant to malware 2.0. Having a backup of your phone is (ironically) a lot easier for people than a backup of your PC, so malware 3.0 isn't likely to be a factor on phones either.
There are plenty of exploits found every month on phones, but in order to develop specific mass attacks, there has to be some monetary reward waiting. Otherwise the bad guys are going to continue putting their efforts towards PCs instead of phones, since they know there's a payoff waiting on PCs but not really on phones.
The reason people are willing to pay big bucks on the black market for a 0 day on Android (and even bigger bucks on iOS) is not because they want to use it to hack a million phones. They want to use it to hack a few specifically targeted phones. If they can attack the phone and turn it into a tracker or maybe even a listening device, they can make a lot of money with the right target. Let's say they could listen in on some sensitive meeting - they could find out about a merger before it happens and make millions in the stock market. But what would be the point of listening to a million phones, what could you do with that? Nothing, because it would take forever to find the one or two conversations that you could monetize.