Microsoft creates some Windows drivers, and works with hardware manufacturers so that there are working drivers for the components in every Windows device. Because those drivers are separate from Windows itself, Microsoft can patch the OS whenever it chooses.
Google is not in the driver business. And they don't package their Android OS. Hardware manufacturers start with the source code, add driver support for a device they want to sell, add whatever features they want to include, and that whole package is what gets stuck on a cell phone. Whenever Google wants/needs to patch something in Android they write the needed code, making it available to all the hardware companies selling Android devices, and that's where things fall apart... Samsung isn't going to revisit the source code for devices they stopped making money on a couple of years ago, & they're one of the biggest companies who might be able to afford it. At the same time, at least in the US, carriers want you to buy new phones on new contracts, so if/when Samsung or some other company updates their software, they may or may not give it to you.
Needless to say, if there is an Android update for your cell phone [or whatever device], at the very least it isn't going to reach you in any sort of timely fashion. So at any given time you have all these millions of out-of-date Android devices, and you can't rely on Google's Play Store to protect you 100% either.
securelist[.]com/analysis/publications/78325/ztorg-money-for-infecting-your-smartphone/
securelist[.]com/analysis/quarterly-malware-reports/78475/it-threat-evolution-q1-2017-statistics/
[There's a couple few interesting stats FWIW at that 2nd link BTW, bearing in mind it's only a single company that's captured more of the market in some countries, so those stats are not likely gold standard.]
Anyway, Google's stepped up telling you about their efforts to keep you safe, with new notifications that you'll see e.g. in the Play Store app. And they're working to reorganize Android a bit, separating the OS parts from the driver & OEM add-on parts [kinda like Windows]. How much that actually changes things on the phones & other devices in peoples hands we'll have to wait & see.
androidcentral[.]com/editors-desk-project-treble-still-has-hurdles
And there are some things that Google doesn't want to copy from Microsoft...
newyorker[.]com/cartoons/daily-cartoon/tuesday-may-16th-windows-cyberattack-update