We have an OS security update that is only release to users of a specific hardware, once approved by their mobile operator. It may be added to vendor-specific OS versions some time later (weeks, month or never). The vendor-specific may not be approved by a telco if the vendor doesn't have a relationship with that telco.

Now think that millions of people use the same OS on many different flavours, on different hardware, on multiple operators.

What an inneficient way of doing things.