Now, if you're a techie-inclined hobbyist, you're rolling your eyes right now and saying that's not a problem, because you know how to root your device and put generic OS releases on it. Good on you. But you surely won't be alarmed to hear me say that you aren't like most people, and I'm principally referring to generic consumers here.
For those people, it can take months for an Android release to become available for their devices, and it might not happen at all. Many product vendors just stop supporting older devices -- and by "older" I mean six months or more. That's right: You might be locked into a two-year contract with your service provider, but there's a good chance that you will never see any of Google's updates made available for your device. Seriously, at the rate Google releases new versions, you could find yourself two or three releases behind by the time that contract expires.
It is in the security area that this most matters. The fragmentation of the Android market means that app developers can't start using all the cool new security (and functional) improvements in an OS release for a long time after it's been released by Google. At least, not without disenfranchising much of their potential market. So things like keychain storage for authentication credentials just aren't widely used by Android apps yet. App developers instead have to invent their own way of securely storing such data, with predictably random results.
Apple's Security Pros and Cons
OK, so how about Apple's iOS? What's the best and worst there?
Apple's closed and regulated App Store has served its users well so far, despite the many bitter complaints from the tech community. The App Store has a vast selection, and the all-encompassing digital signature hierarchy ensures that only signed and approved apps can be installed. (Again, I'm referring to white-bread consumers here, not the niche market of jailbreakers who bypass the App Store.)