In terms of security holes Android's Stagefright hack looks to be about as bad as they get. A malformed text message that can deliver its payload without even needing to be opened. It mirrors a previous issue of similar seriousness, which affected the iPhone recently.
The difference is in the way Google and Apple responded to the incident.
Apple were able to deliver a fix and make it available to all of its users in no time at all. Google was able to deliver a fix and then OEMs were responsible for delivering it to handsets. Nearly six months on from Google being notified of the risk there are still handsets which remain unpatched.
The severity of the incident and the weakness of the response has meant that some OEMs have introduced new update policies, either out of a sense of responsibility to their customers (unlikely) or a perceived opportunity to gain commercial advanatage (yes, that feels more like it).
Google, Samsung and now, LG have all announced monthly patch cycles. Nice in theory, but those updates will ship to the networks who will have responsibility for pushing them to customers.
And that's where the good intentions will fall down no doubt.
Hopefully those users who have unlocked phones not purchased through the carriers should receive a more timely service, however Google really needs to find some way of bypassing the networks for these high impact issues.
Otherwise it will always be battling an entirely accurate perception that Apple does security better.