GPU bugs are particularly concerning because they have significant power (the GPU can often map all of physical memory if convinced to do so) and widely exposed (lots of things need graphics). Turning one of these into a full chain can often require zero bugs if the buggy API is callable from JavaScript, or one to escape the VM and poke the driver.
If you can use Windows without it getting full of malware, you can handle unpatched Android LPEs too.
Keep in mind, Webview, browsers, email clients, etc are patched via app update mechanisms.