Why Can't Google Just Switch to Pushing Android Security Updates Directly to Users?
The crux of the problem is that with only a few notable exceptions, every phone ships with a fork of Android, not with the software written by Google. So Google can't push changes to Samsung's phones any more than FreeBSD can push changes to Apple's Macbooks.
Android is Open Source, which is a bit unusual. This is the first time a major consumer operating system with this size of userbase (1.4 billion users and growing fast) has been an open source project rather than a centrally-controlled one. We're used to the idea of the creator of the OS being able to take responsibility for updating it. And as evidenced by this question, we somehow expect Google to be able to control Android the same way Microsoft controls Windows and Apple controls iOS.
But by allowing companies like Samsung and Sony and Motorola to ship their own modified version of Android, Google gives up that control in a way that they can't get it back. Samsung then takes over not only control of their own flavor of Android, but also responsibility for keeping it updated. And by allowing Verizon to fork Samsung's version, Samsung then sheds both control and responsibility now to Verizon.
Theoretically this all works; theoretically Verizon will be just as responsible and dependable as Google. Except when they're not.
So there's three possible solutions. Either:
Manufacturers could start taking more responsibility for their OSes. Since Samsung's Android belongs to Samsung, we get nowhere unless Samsung takes some initiative on keeping it updated. This may require some cooperation with companies like Verizon if Samsung has allowed them to fork the code as well. This is more or less that status quo, but with more wishful thinking.
Google could take back control of Android. By switching to a closed-source license, they could impose licensing restrictions like requiring companies like Samsung to push patches within a limited timeframe. Of course, if Google went this route, there'd be no end of shouts about how "evil" and "anti-consumer" they were being, despite the fact that they're literally the only major player that is Open Source to begin with. Politically this is probably a no-go.
Companies like Verizon and Samsung could voluntarily give control back to Google without being forced into it by a licensing agreement. This is the sort of utopia arrangement where companies decide to do the right thing out of their own free will. Until a few weeks ago, this was the least likely of the three. But since the stagefright mess, several companies have pledged to do more or less exactly this.
So we'll see where it goes in the coming months and years.
It was a big issue till very recently, but
it is changing right now.
New Android versions (O and P) feature something called Project Treble.
From the linked page:
One thing we've consistently heard from our device-maker partners is that updating existing devices to a new version of Android is incredibly time consuming and costly.
With Android O, we've been working very closely with device makers and silicon manufacturers to take steps toward solving this problem, and we're excited to give you a sneak peek at Project Treble, the biggest change to the low-level system architecture of Android to date.
General idea is to separate the vendor compatibility layer from the rest of the system. New Google updates to the system core are compatible with all phones supporting Treble, without any additional work from the vendor.