I've been a android user for over 6 years. Yes most phones on a OS level is not fully updated however with play services and verify apps 90% are.
All os are vulnerable, no software is 100% exploit free, eventually a vulnerability will be found. The point I'm making which you seem to miss is that Google have put security checks in place to catch these exploits hopefully before it's found or asap after its found.. all Im saying is look Google were told about this exploit, they have patched 3 of them on a os level and all of them on a software level via Google play services/verify apps. Now if a user decides to ignore googles security checks and bypass the verify apps then that's on the user. That is literally all I am saying. Google are doing what they can and users need to use common sense on there behalf too. If they pirate apps or download a app to supposedly make there phone faster and before even installation happens a pop up from verify apps says this is dangerous do not install and the user still installs it then it's not Google's fault. It's like you have seatbelts in cars, it's meant to be used. But if the driver has a accident and never had seatbelt on, they can't then blame the car maker because they decided to not wear the seatbelt. Same thing here , if googles warns you and decide to not listen then it's on you.
Are you saying rooters shouldnt be responsible for what they do their devices or you think OEMs should supports them too no matter how much tinkering they do.