I came across this item from last month that made me go "say what?!?"
ACLU sues carriers over Android updates.
So why care about this from a security standpoint? Well, delays in updates leave Android phone vulnerable to hackers. It also leads to some taking matters into their own hands to update their phones themselves, which also makes their phones vulnerable. Neither option is good. Damned if you do, damned if you don't.
As an Android user, I can understand this. My phone is still at 4.1.2, when the latest is 4.2.2.
And the process of updating Android phones is complex. More so then some people think. It's not like when MS has an update to Windows. Google releases a new version (after its been released for Nexus phones) to manufacturers, who must modify and test it on their phones, then turn it over to the carriers for their testing and verifying before it gets released to user's phones. The whole process delays things longer then most people would like. And there is no guarantees that a new, official, version will be provided for your particular phone.
It remains to be seen if this improves things or not.
We'll have to keep an eye on this.