The security of a device can be very dependent on how it is used, however Android devices are designed to offer users control over their mobile environment. Consequently, Android users can install whatever they want from where ever they want, which exposes them to a comparatively high level of risk.
However, if a user only loads applications from official stores and keeps their device and its applications up to date they will have a generally secure experience. That being said, a number of remote access vulnerabilities have been discovered this year for which the Android patches have not been made immediately available, if at all, by some vendors.
At present, mobile devices are not the path of least resistance for gaining access to sensitive content and consequently are not as appealing a target as they otherwise would be. This is in part, a result of the fact that it is not often possible to target users remotely. An attacker would normally have to pick their targets and focus specifically on those individuals.
Most of the malware that exploit users indiscriminately attempt to trick users into sending premium rate SMSes. These malicious application are rarely available on the Google Play Store.
If the current techniques preferred by the majority attackers were to become less viable, we would likely see a change in the number and type of exploits developed for mobile phones and applications.
As with traditional computers, the most secure system can still be breached if the people who use it do not operate in a secure manner. User education is vital, and will remain vital even if the patching policy of vendors improved. Android is a platform that is intended to provide users with a large degree of freedom.
While this remains a core component of the Android platform, the security of individual Android devices will be subject to the practices of its owner.