This is an important factor, and maybe the fatal flaw in android's carrier relationships. Google is always very fast to push a fix out, but the carriers always drag their feet in getting the fix to the actual devices.
It's really not. We're talking about security architecture here (which rolls out only with OS releases) and not security bugs (which get rapid patches on all but the most negligent of OEM devices).
Having a better security architecture works (to stretch the metaphor) like immunization: past a certain adoption level you reach a "herd immunity" state where the marginal benefit to an attacker of a specific flaw drops rapidly to zero even though there are still "old" devices out there in the market in small numbers.
Basically, the market refresh cycle is still at something like 18 months, so even given that OEMs are slow new Android releases are reaching the public in large numbers fairly promptly.
That is actually a great point, hardware refresh is such that updates get performed regularly. Also, this exploit requires hardware access to the phone, which is generally considered game over in any respect.
It would be beneficial if carriers could come up with updates faster however. I've seen Verizon drag its feet on more than one occasion, especially with phones that are a generation or two behind.
This is an important factor, and maybe the fatal flaw in android's carrier relationships. Google is always very fast to push a fix out, but the carriers always drag their feet in getting the fix to the actual devices.