However, companies can warn employees not to download software from unofficial sources, or use a mobile device management tool to restrict what employees can install on company-provided phones.
"Though there are many workarounds to those policies," he added.
Companies can also use a solution that checks whether devices have all their patches up-to-date, and put additional access controls around those that don't.
What really needs to happen is that the Android update and patching system needs to change, Lady said.
Or companies can switch to Nexus phones, he added.
Sign up for CIO Asia eNewsletters.