> by pulling out most of the OS into upgradable components.
That's not true (the most of the OS part). They untangled their own stuff (Play Store, Google services and so on) and can update those as they see fit. The OS stuff is still monolithic. Most of serious security issues still require full OS updates. Also supporting a new major version of Android runtime still require a full OS update.
Most security issues are handled by security updates, which don't require a letter update. They're issued as patches, so OEMs can issue them for an older device without updating it to a new release.
https://www.android.com/security-center/monthly-security-upd...
Most of the major OEMs do. The security update rate for upper tier phones runs about 75% within 3 months these days.
Anyway, I was responding to the comment "Most of serious security issues still require full OS updates." This is demonstrably inaccurate since the security patches do not require a full OS update.
That's not true (the most of the OS part). They untangled their own stuff (Play Store, Google services and so on) and can update those as they see fit. The OS stuff is still monolithic. Most of serious security issues still require full OS updates. Also supporting a new major version of Android runtime still require a full OS update.