Google could even provide the updates directly if they classified their libraries, programs, and apps into those that the carriers and vendors could play with and those that they can't.
It should be perfectly possible to update an SSL library without interfering with any customisation. They could even allow veto of patches of carriers and vendors, if the patches really did break anything. Of course the carriers and vendors would have to be given a few days to test for breakage. But, even with such a veto, 95% of Android security vulnerabilities could be patched.
Vendors could still release their own patches for allowable libraries and programs, and Google might even want to assist with infrastructure and control systems for that. Improved vendor patching benefits Google.
This patching issue, and the volume of vulnerabilities, is really hurting Android in big organisations deciding whether to support Android phones.