Google's Android and Microsoft's Windows are both widely used operating systems. The two operating systems are not similar in many respects, but there is one very fundamental difference between them, which is how the developer company keeps the operating system up to date. In short, Microsoft release updates centrally to Windows out there in the wild. Google does something broadly similar to the currently supported devices, which amounts to somewhere around 2.5% of the devices running Android 5.1 Lollipop. Because Google designed Android to be very flexible, it means that manufacturers have been able to take the software and alter and modify it as much as they want. This is very different to how Microsoft and Apple have released their mobile operating systems: Apple dosen't release their software to anything other than their own products and Microsoft dictate terms and conditions. Google lets you have it in whatever flavor you wanted, but there are serious implications when it comes to keeping Android up to date. Essentially, manufacturers have comparatively little incentive to keep their devices up to date.
The system to update or patch Android is broken. Let us suppose there's been a major security flaw discovered such as Stagefright; Google releases the patches to fix Android and to the original equipment manufacturers, that change the code and release it to carriers, who may also change things before rolling the update out to customers. This process can and does take months. Many of the devices that could have the Stagefright vulnerability are unlikely to be patched by the OEM because the device is simply too old: manufacturers stick with a two year timescale of keeping their devices up to date and unreasonably expect customers to update after this time. This ignores the healthy market for older devices - Open Signal has just released the 2015 Android Fragmentation Survey and the most used Samsung device is the Galaxy S III, which was released in 2012. The Galaxy S III has not received a software update in some time with Samsung blaming the device's 1 GB of RAM as to why it cannot possibly receive updates to Android 4.4 Kit Kat and beyond. This is not to pick on Samsung: device manufacturers are not interested in updating older devices because there is no money in it for them.
Comparing the Google Android update system with Microsoft's Windows and the significance of the difference is immediately obvious. Microsoft uses the Windows Update Center as a way of rolling and distributing updates from the one central place. System builders and resellers are not allowed to touch the update process: hardware support is separate from Windows, which is a core difference between Android and Windows. Google designed Android to be supremely flexible but a part of this is that it means those who would modify the code should take responsibility in keeping it up to date and patched in a timely fashion. That will require a level of cooperation between carriers and manufacturers that we simply have not seen in the Android world - to keep Android up to date and secure, we will need to accept a shallower level of access. It means restricting carriers and manufacturers access to being able to add bloat rather than change hardware settings, and allowing access to a deep skinning system too but without the ability to modify the operating system. Patches could then be distributed from a central Google source. It is a great idea, but it may take a disaster within the Android sphere for this to be considered a viable option going forwards. By disaster, something like a wide scale malware problem infecting millions of devices. Something on the scale of Stagefright.