In a Twitter exchange about why HTC is not committing to the same monthly security patch pact that Google, Samsung and LG have already made, HTC's USA President, Jason Mackenzie, said that such commitment is "not realistic." The reason he gave is that carrier approval processes usually take too long for this to work.
The first company to announce a monthly security update was Google, after the Stagefright vulnerabilities that affected about a billion users were made public. Soon after that, both LG and Samsung committed to monthly security patches as well, but it's not clear whether they were sure they can continue to deliver this month after month, or it was just something they were willing to give a try.
At the time, neither company said how long their devices will receive these monthly updates and which devices will continue to get them. Some of their high-end devices were patched, but that's because of the severity of the Stagefright vulnerabilities. Most of the major smartphone companies were rather quick to issue patches for their more popular and high-end models at the time. However, they all failed to provide updates to all affected devices -- even the ones released in the past two years.
Vulnerabilities such as the ones in Stagefright have shown us that Android needs a more robust security model than the one it has now, where essentially no upgrade is guaranteed for any device. Even the new monthly security patch system falls short, because while the monthly upgrades are somewhat guaranteed, the companies don't say which devices will receive them.
The carriers also don't seem to be doing anyone any favors by prolonging the updates even longer, to the point where a company such as HTC has to say that it's not possible to deliver new updates, no matter how critical, within 30 days, when that update has to first get a carrier's approval.