At least these nasties get patched on *every* supported iOS device on day one.
Android users, good luck.
I agree and disagree at the same time.
In terms of monthly security patches, yes, Android OEMs, other than Samsung flagships and Google, sucks. Google can do better, as right now, they only require OEMs to give quarterly security updates for 2 years at minimum to get certification. Obviously everybody is doing the bare minimum, or even less, especially the Chinese OEMs (where some of them have been caught faking security patches, only changing the text without actually pushing the patch. It shows how lazy these OEMs are).
At the same time, Android has evolved and been compartmentalized that users are still protected. Let's say there's a security issue on Google Messages app. It's available via the Play Store, so it can be updated by Google anytime for as long as Google wants, even after the phone itself stops getting OS updates. Same with the Chrome browser, Google Maps, etc. This is in contrast with Apple where everything is monolithic. You will only get Safari updates part of iOS updates.
Also, there's Play Services. This allows Google to push updates and features to even old Android devices. Take Nearby Share, Android's version of Airdrop. It's a new feature announced in 2020, but it is supported way down to Android 6 devices thanks to Play Services.
I agree that I wish Android can be more proactive in pushing the monthly security patches. At the same time, the challenges have forced Google to innovate by compartmentalizing Android piece by piece that some part of it can be updated independently from the OEMs/carriers.