Android security without updates
Yes, this is accurate. If your version of the Android OS has known privilege escalation vulnerabilities, there is nothing stopping a rogue application from exploiting a privilege escalation vulnerability and thus escaping the sandbox (i.e., gaining unrestricted access to your phone).
This absence of security upgrades is a shortcoming of the Android ecosystem. The ecosystem is reliant upon handset manufacturers and carriers to continue providing security upgrades, but many handset manufacturers/carriers have declined to do so, for economic reasons. They treat the phones as disposable, and don't always show loyalty to older customers. Once the phone is a few years old, they stop providing upgrades and focus on the latest shiny models that are being sold, prioritizing selling new handsets over supporting past customers. This is not very eco-friendly and not particularly customer-friendly. I think it is unfortunate, but it appears to be a fact of life. And so it goes.
There is an excellent analysis of this phenomenom by Michael DeGusta. Here is a infographic showing the results of his analysis:
Credits: Michael DeGusta at The Understatement.
Update (12/26/2012): Ars Technica has a nice overview of the situation with Android updates, a year later. Unfortunately, it's not pretty: things haven't gotten any better, and many Android phones are not receiving updates. The security risks remain.
some valid points... I personally go the custom rom route, you mention having to trust the developer, this is true.... Just like every other open source, community driven project. And for that matter Google, Apple, Microsoft, etc. I find it much easy to trust an open project vs closed source anything. These are choices we have to make with all tech platforms. FWIW, Cyanogen actually works for Google now, so they apparently trust him. (I'm sure you've heard of Cyanogenmod, it's what I and most others use for rom of choice)
not a lot of options at the OS level to get updates if the carriers aren't going to push them, without going rooted/custom.
As for apps in the marketplace, you just want to keep some common sense, just as you would finding and installing apps for your computer. Check out an app's ratings, feedback and download count. These are usually a good indicator.