I think Google has understood the systemic security problems in Android pretty well since the beginning, but adopted a typical data driven approach: gather data, and when/if phones start getting compromised start figuring out what countermeasures are cost effective.
I wouldn't agree with the statement. The Android app store is filled with apps that steal user data and malicious apps. It only get cleaned up when somebody does some research and tracks things down and it ends up in the press.
Or maybe that it's just cost effective to have others do the work for you?