re: Android Smartphone Sellers Should Patch, Refund Or Perish
I think it makes a lot of sense to lay this issue at the feet of the carriers, especially as Washington wavers back and forth as to whether or not the end user can root and then modify their own devices.
Example - latest version of the Android OS is 4.2.2, released 2 months ago. My personal phone, from one of the big manufacturers on one of the big carriers, is only at 4.1.2 and reports with "Your device is up to date". My wife's phone is on 2.3.6, same carrier, different manufacturer, and also reports as being up to date.
So, the update from 4.1.2 to 4.2.2 is an eye-candy update? Maybe, haven't researched it, but I think that's not quite true. The update from 2.3.6 to 4.2.2, I'm betting, has a few more security updates in it. Now, doing a little research, I'm walking around with a 6+ month old OS load on my device (even though it hasn't been 6 months since the last update was applied) and the wife's phone is running an OS that's 18+ months old.
Coming from a long history in the Windows world, if you're 18 or even 6 months behind in OS patching, you're a target, simply put. Given the ubiquity of these devices and the personal information that gets carried on and processed through them... emphatically yes, the carriers should be held responsible for securing the devices on their network by at least offering appropriate OS upgrades to end users in a more timely manner.