ANDROID is going from strength to strength. Around 600m of the nearly 2 billion smartphones ever sold use Google's mobile operating system, estimates Horace Dediu, the boss of Asymco, a mobile-analysis firm. How odd, then, that nearly three-fifths of those that remain in active use, both old and new, rely on outdated versions of it. That is partly because old gizmos do not have enough oomph to run the latest iteration, called Android 4, and partly the outgrowth of Google's choice to exercise only loose control over its operating system after each new version is released. The worrying consequence is that a vast number of phones do not receive software fixes, known as patches. Worse, many cannot be patched even if the owner wants to, says Rich Mogull, boss of Securiosis, an independent security-research firm.

Unlike Microsoft, say, which rakes in a licence fee for each device that uses its Windows Phone 8, Google does not charge manufacturers for installing Android on their handsets. Nor does the Open Handset Alliance, a trade body which acts as a beard for the operating system. That helps makers of Android-based phones keep costs down. But Microsoft also has a laundry list of specific hardware features that must be present in every phone labelled with its marque. Google does not, and only requires that phones pass a certification test to demonstrate that they can run the operating system and carry out a number of tasks accurately. The lack of more specific hardware requirements appears to provide the perverse incentive for handset makers to scrimp on kit, too—at least on all but premium smartphones.

Cheap kit, in turn, means low margins, so manufacturers must rely on volume to generate profits. This is possible because their customers are not, for the most part, consumers, but mobile carriers, who seek low-cost phones either to make them more affordable to subscribers or to reduce the total subsidy they offer to users by charging a fraction of a phone's price in return for a steady stream of cash from long-term contracts. (Tablets and other non-cellular devices have different pricing issues, but often remain stuck in older versions as well.)

As a result, tens of millions of phones run the version of the operating system with which they were shipped, perhaps with one or two minor tweaks. Even phones with the chips and memory to handle upgrades often do not receive them because of the support costs: handset-makers and carriers prefer to have consumers buy new phones than to provide technical support for old or outdated models.

Most phones cannot directly download Google's regular feature, bug and security updates, let alone overhauled versions of the operating system. Instead, Google picks a partner phone maker, like Motorola (which it now owns), to release a revamped operating system in one or two handset models. Only later can other phonemakers and mobile providers retrieve the source code and test it with their kit. They often customise their version of it, and sometimes lock the phone to prevent the user from changing it, explains Mr Mogull. It is then up to the carriers to release updates for older phones. "Many don't," he says. The updates cost money to develop and take resources away from newer projects.

This is in contrast to the approach pioneered by Research in Motion (RIM), a now-floundering Canadian maker of BlackBerry devices which used to make up a large portion of the business market. RIM built its own operating system and gear, and distributed updates to end users with little input from mobile providers, beyond sticking a carrier logo on the start-up screen. Apple has gone further, cutting carriers out of the loop completely by making even the tiniest releases available directly to users. It consigns older hardware to the bin, providing no further updates except in the case of serious security flaws. But it only actively sells phones, including older models, that are capable of running the latest release of its iOS. (The company has disabled certain features at a carrier's request but only after an update was released.)

Google has so far avoided big security breaches by having devised a resistant core system. This is true of all modern operating systems, desktop and mobile. Microsoft learned this the hard way, after being pilloried for the rampant vulnerabilities in its Windows XP, the operating system of choice as broadband usage surged in the early 2000s. But security features in subsequent versions of its flagship product, from Vista to Windows 8, received nothing but praise. In this respect, at least, the technology-industry veteran can teach the upstart a thing or two.

Correction: This post originally stated that two-fifths of Android smartphones used an outdated release. It is, in fact, three-fifths that run releases prior to 4.0, according to data Google compiles.