I don't see why Google can't figure it out
(Android security team member here)
It's not that Google doesn't know how to do that. It's that Google can't do that while also having a free and open source OS. Every piece that's moved out of the OS and into Play services is another piece that is no longer open. Moreover, if Google does too much of that sort of thing and removes the ability of OEMs to customize and differentiate their devices, they'll ignore Google completely, filling in the missing bits with their own code. Removing components from the OS is a last resort, not a first choice.
What makes things worse are carrier specific builds. Apple managed to do tell them to F off, Google should too.
AFAIK, Google doesn't do carrier-specific builds for Nexus devices (though I know there is some carrier-specific testing). Google can't control what other companies do. Their devices have to pass the tests to prove compatibility or they can't use the Google apps (including Play, which is the biggest carrot), but that's the full extent of the control Google has.