I sometimes skim through the vulnerabilities patched in the monthly updates by Google in Android. And I get the chills.

For example I am looking at the current list of March 2020 fixes. This is a critical vulnerability with remote code execution effects. That was authored on December 17: https://android.googlesource.com/platform/external/libavc/+/ffcf2a87d66f935210ebd011eed474514d086b40

I remember looking at other patches for critical vulnerabilities in the media framework in the previous months that took even longer.

1) Why this it took 2.5 months to be released? It should have at least gone out in February.

This is USB vulnerability with escalation of privileges was patched in August 2019! https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d4472d7bec39917b54e4e80245784ea5d60ce49

Android is not secure. It does not take a genius to monitor the commits for vulnerabilities.

2) Why there is in general such a big gap? Why patches are not at least pushed in the next month updates?

Somebody posted before that the average time between a patch is available and an exploit is seen in the wild is 4 days.

Considering the delay between code commits and deployments to the devices this leave a pretty large window for a malicious attacker to exploit them.

3) Because of the 4 days gap, it seems that even "next month" is not soon enough. I understand that the patch should be tested, but should not we working toward getting 1-2 gap between commits and deployments?

BTW, this is a problem for ALL open sourced systems.

It seems that closed sourced systems written by talented teams may have the advantages that the exploiters have to work a little harder to find the vulnerability, potentially delaying the time when a exploit is found and giving a time advantage to the system against exploits in the wild.

4) Is this the main reason why Apple devices are more secure that Android devices?