While that is true, it was Google's choice to allow binary device drivers for Android interaction by the vendors.
It are these proprietary device drivers which are preventing initiatives such as Cyanogenmod and others to provide a clear upgrade path.
It illustrates the big mistake Google makes in this regard (allowing binary drivers and focusing on Apache licenses).
The position of Google is strong enough to make a stance in the interest of the users (and the world) that all Android drivers should be OpenSourced... in that way the users can 'bake their own' and get their own responsability with respect to upgrades.
The current situation brings the responsibility upon unwilling HW vendors, unwilling providers and ultimately Google.
Sooner or later this is going to blow up into the face of Google because bigger security problems will one day be found!
It's time Google takes a stance for OpenSource software in the interest of the users and the larger common good (certainly now it's completely on par with their own interests)!
Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau