No, the issue is that it's open source and carriers customise the components. Android had a working online update infrastructure since day one, actually since before Apple did. But that's no use when the first thing OEMs do is repoint those mechanisms at their own servers and make huge changes to the code.
The comparisons with Linux are especially strange. Guess what? Upstreams who develop software for Linux and see it get repackaged by distributors are in exactly the same boat as Google. They see their software get packaged up, distributed, bugs possibly introduced and then upgrades may or may not make it to users. Yeah yeah, Debian say they backport security fixes. That's great when it's a popular package and a one liner. When the security fix in question is a major architectural upgrade, like adding a sandbox to an app, then users just get left behind on old versions without the upgrades because that's the "stable" version.
And of course many users are on Linux distros that stop being supported pretty quick. Then you're in the same boat as Android: old versions don't get updates.