Google Security Chief tries to allay fears about Android OS

Google rolled out their Security Chief Adrian Ludwig to try and allay the fears of purchasers of Android devices that the OS is not secure and doesn’t protect the user form malware.
The basis of the argument  was that is that Google is now going through the Google Play store and removing malware laden apps and actively protecting devices on a daily basis making just 1% of Android devices open to the risks of malware pretty much on a par with iOS.
The trouble is, it is all well and good making these statements but it does not make Android as secure as Apple’s iOS when it comes to Malware.
First of all, it is fine cleaning up the Google Play Store but and this is a huge BUT, Android still allows the direct installation from other sources and even just installing direct from any old website making it possible for adverts and links in email to download and install applications that  house malware.
This is not to mention all the other app stores out there and to further complicate it, while pure Android may have Google’s protective systems, not all makers keep these features switched on, not all carriers do either with the intention that they will force installation of applications that are from 3rd parties where the party has paid for their products to be used and the default protection disabled instead.   
We haven’t even come to the lackluster Android OS updating.  They can barely do security updates in a timely manner let alone update the devices to have Google’s all new wiz bang security features implemented and operating.  
Exactly where does Adrian Ludwig get the 99% totally secure from?  Does he mean the 99% of devices running Android 7.1?  It certainly doesn’t mean the billions of Android devices running Android 3, Android 4, Android 5 etc because most carriers and most manufacturers have no intentions of updating the OS on devices at all.  For them it is not in their interest to do these updates, it is in their interest to deprecate the devices as fast as possible and push the customers to desire purchasing a new device within 2 or 3 years at the most.
In fact how can we as users trust a company that was comfortable selling advertising to malware creators to entice people to install malware laden applications for various other operating systems and how can we trust a company that informs a rival OS maker of a bug/security flaw in their device and then ten days later publicly tells the world of the security flaw before Microsoft can get a security update rolled out to the customers. 
Yes that was 10 days, a deliberate and malicious act designed to undermine Microsoft.  
So how can we trust Adrian Ludwig when he is happy to put Windows users at risk by authorizing the publication of the Windows 10 security flaw without giving Microsoft enough time to close the flaw and issue a security update.  How can we trust a company that is actively letting malware be distributed with phishing advertising through their own advertising medium?
The answer is, YOU CAN’T.