One problem is that patches and updates cost money while producing additional revenues, since the customers have already bought their phones.
"The phone manufacturers have enjoyed a lower development and maintenance cost for their non-undateable or high latency updatable devices," said Chris Wysopal, CTO and cofounder at security vendor Veracode.
Google should continue to put pressure on them, he added.
"Perhaps they could force a logo program where you need to have some minimum update latency to achieve the Android logo or perhaps a new 'Android Safe' logo," he said.
For carriers, releasing patches without fully testing them could disrupt their networks, which is a significant risk to them, said Stephen Newman, CTO at security vendor Damballa.
"Imagine if a carrier allows security patches to go untested and one of them brings down a major carriers network or multiple carrier networks," he said. "Colossal damage."
If Google presses harder for faster updates, it needs to make testing easier for the carriers, he added.
"Ultimately the carriers may elect to limit even further the number of devices they will sell, thus limiting the number of options for consumers but also limiting the amount of devices they have to test," he said.
Limited choices could mean that carriers lose customers, said Tim Strazzere, director of mobile research at security firm SentinelOne. In addition, carriers and manufacturers may become reluctant to use the Android operating system.
"If they push for updates while providing better tools and helping the OEMs and carriers, they definitely stand a fighting chance to improve the ecosystem, which in turn makes everyone have more up to date and hopefully safer devices," he said.
Meanwhile, if the industry is unable to make progress on the issue, the government may step in.
Last month, the FCC and the FTC announced that they are asking mobile carriers and device manufacturers about how they release security updates.
"Consumers may be left unprotected, for long periods of time or even indefinitely, by any delays in patching vulnerabilities once they are discovered," said the announcement.
"Shaming manufacturers and carriers may not be a silver bullet, but combined with pressure from the FCC, we may see security update timeframes start to improve," said Chris Eng, vice president of research at security firm Veracode.
Sign up for CIO Asia eNewsletters.