Where does the majority of the fault belong with?
Is it Google for not enforcing sane update polices?
OEMs for not caring?
Is it the "everyday" user being so ill informed about vulnerabilities?
I also think this is a PR problem in that, people throw a hissy fit because of windows 10 "spying", but turn a blind eye with their phones because they are under the false impression that it don't spy on them, when it does more actual spying than anything windows 10 does.
I'm glad you asked
The fault is on all sides, but the majority in my opinion lies with carriers. The below pertains to Android devices specifically... iOS devices is a different beast and belongs in a different conversation.
* Carriers: Carriers want to move new phones instead of support old ones. Unfortunately in Android land, the US (and other) carriers get the final say on builds that get pushed out via OTA (over the air) updates to their devices, which increases complexity by a massive amount. There is way less incentive for them to pay their engineers to test and vet builds they receive from OEMs for older devices that they don't even sell anymore than it is to just try to sell a new device to you.
*Consumers: Consumers want the latest devices with new features constantly. OEMs scramble to push the bounds of technology constantly and add in new things to entice customers to purchase the newer phones. Unfortunately this causes a lot of things to get rolled out as soon as possible without being properly tested for the security implications involved with all the new fun things your phone can do for you. Most don't care about the security features of an OTA update at all, but rather how things look and if the phone runs better afterwords.
*OEMS: OEMs receive fixes from Google very early, but many times it takes them a lot of effort to get that to all the devices they support. For stupid reasons that I will get angry about typing out, OEMs maintain DOZENS of variants of the same damn device with small, subtle differences. Sadly, this means separate code bases for every device. That means instead of just rolling the patch into a master repo, it has to be done to all available variants of the device and tested on all available variants. Many times, the same device.. let's say the Galaxy S5 as an example, even has different hardware depending on which carrier you purchase it on. This makes sense for things like CDMA/GSM differences, but even things like WiFi and NFC chipsets have different hardware, due to the SoC needed to be compatible with everything else on the device. This means it takes an absurd amount of time to get something from Google, get it to the carriers, get it tested, then for the carrier to push to the device.
*Google: Google actually has to care about security of the ecosystem and has been behind the 8-ball forever because of how many moving parts are involved in Android and how much of it is actually outside of their control. They don't write the code for proprietary things like Qualcomm hardware, so they rely on receiving that code from other players in the phone space. Many of the vulnerabilities in these devices come from code that Google didn't even write and has no choice but to use. Google tracks this stuff and does a pretty decent (but not as good as Apple imo) job of vetting bugs and fixing them in Android quickly. The problem is that it might takes anywhere from 6-8 months typically for a bug to get fixed for it to actually make it to a handset. This is because of all the other shit I mentioned above heh. A further complication is that OEMs extend and hack the shit out of Google's code, Samsung is the worst offender here. They literally change fundamental things which make it impossible for OEMs to just cleanly paste in a fix in many cases, because the patches just wont cleanly apply at all due to all the various changes that have been made to the code base.
Sorry for the long winded response, I have truncated this extremely if you can believe that
Facebook
Twitter