With Android defragmentation with every phone manufacturer having their
own Android builds, the responsiveness to updates for patches to
stagefright etc have been slower.
There are two issues to consider.
First, “early” version of Android suffered the problem. Early versions are versions prior to Ice Cream Sandwich (ICS). These devices also had the certificate store burned into ROM and part of the image, so there was no way to update it. The OEM abandoned the devices after the sale, and there’s nothing you can do about it to fix it.
Second, “later” version of Android address the problem. Ice Cream Sandwich (ICS) allows the certificate store to be updated in the field without a new image. For details (and some very good reading), see Nikolay Elenkov’s blog Android Explorations and his article ICS Credential Storage Implementation.
A final issue to consider is Apple and Windows Phone suffers this too. They abandon OS’es as quickly as some of the phone manufacturers. Its mentioned as a footnote because this discussion concerned Android.
An interesting facet of the problem on Windows Phone: OEMs are contractually obligated to apply Windows Phone updates. For a discussion, see Alan Meeus’ Windows Phone: Security Deep Dive . However, it does not address (1) what Microsoft puts in the store (or omits from the store); and (2) Microsoft abandoning the operating system.
(And sorry about not providing links. This stupid bulletin board software made me take them out).