Google's Android operating system is the most populous in the world, and is used by hundreds of different smartphone OEMs. That large ecosystem along with OEMs that have varying timetables, resources, and "desire" to keep smartphones updates has led to fragmentation. It's why we see new devices still be announced in 2020 running Android 9, and devices that lose access to new Android builds after being on the market for only a year in some instances.
OEMs, with the help of Google, are thankfully accelerating the pace at which they release updates, especially when it comes to security updates. A new report from Security Research Labs (SRLabs) indicates that there has been a decrease in the number of days it takes for OEMs to release Google's monthly security updates, dropping from 44 days in 2018 to 38 days in 2019.
When it comes to patch availability, three vendors stood out from the pack: Google, Sony, and Nokia. It should come as no surprise that Google would be among the best-positioned company's here with its first-party Pixel hardware. That’s one advantage of being in control of both the hardware and the software of its smartphones (this also benefits Apple with its iOS devices).
"The fast vendors use vanilla Android rather than highly customized Android versions, hence have less effort in applying patches," writes SRLabs. "The fast vendors have also released fewer devices, further streamlining the patching process compared to vendors who have to a large portfolio of devices to maintain."
Some top-tier manufacturers like Huawei, LG and Samsung are pushing out monthly security updates within two weeks of being posted by Google, while Motorola isn't too far behind. Interestingly, some of the more popular names like ASUS and even OnePlus are far down on the list, taking 21 days and 25 days (respectively) on average to release security patches to its customers. Taking up the rear was Xiaomi, averaging 31 days between Google posting a patch and it making those security updates available to customers.
"We found vendors best able to patch the versions of Android most commonly found on their devices," the security firm writes. "And it takes a longer time for vendors to provide security updates for less widespread Android versions. As a result, the Android ecosystem still has security challenges that arise from its fragmented nature."
In the end, Android fragmentation and the "patch gap" is improving, but there is still a long way to go. And it's up to individual OEMs to improve this performance unless Google wants to get more heavy-handed with its policies.