Android is by far the most popular mobile platform judged by both numbers of phones sold and numbers of phones in use.
However the news that only 20% of Android handsets are running variations of Android 5 Lollipop months after the announcement of Android 6 Marshmallow shows the inherent difficulties of treating Android as a single homogeneous platform.
Even if you just consider Google Play devices.
Any device not running the latest release of Android is vulnerable to all sorts of attacks. If you believe the reports coming from various sources those vulnerabilities are relatively simple to exploit and any sane user would be very concerned about access to the information stored on their phone.
Google isn't able to manage updates to the core Android platform at all well. Even tier one partners - the Samsungs, Sonys and LGs of this world, aren't able to get timely releases of updates pushed out to their users. By the time they have received a fix for an exploit from Google, tested it and the passed it through the carriers the weakness has changed or the fix been worked around or something new has been identified.
Even buying an unlocked device which isn't tethered to any carrier is no guarantee of a timely update.
As for those buying at the low and mid-range of the smartphone market the position is even worse. Low end Android phones almost never get updated. And with so many of those still running KitKat the security holes must be legion.
Android is awesome for its ability to be flexible, customizable and freely available to any OEM who wants to put it on a phone. Yet its patching and update weaknesses are surely going to be a source of serious trouble at some point down the line.
Google is very keen to publicise zero day exploits on other platforms, however until it has worked out a way of securing its own platform maybe it should wind its neck in. People in glass houses, and all that.