When Google (GOOG) discovers a vulnerability in the Android operating system it issues a fix in a small update or in a future software version. Millions of Android users will never see an update, however, and will be left vulnerable to hackers. Unlike the iPhone, which Apple (AAPL) controls and can freely distribute software updates to, Android users are left at the mercy of their manufacturers and wireless carriers.

“When Apple decides that it’s going to give a security update to consumers or a feature update, every consumer who plugs their phone into their computer gets the update whether or not their respective regional carrier likes it,” said Chris Soghoian, principal technologist and senior policy analyst with the American Civil Liberties Union, at the Kaspersky Security Analyst Summit, according to Wired.

The analyst explained that with Android, “you get updates when the carrier wants it and when the hardware manufacturer wants it, and usually that’s not very often.”

More often than not, Android handsets are left forgotten and unprotected despite the fact that a customer is still on a two-year contract. It can take over a year for carriers and hardware vendors to distribute new firmware updates, even for the most popular Android smartphones.

“This is not an instance where I’m criticizing Google for not fixing the bugs,” Soghoian said. “Google’s team will usually fix it very promptly and make it available to all of their hardware partners. The problem here is that fixes for critical security vulnerabilities are simply not getting downstream and reaching consumers.”

Kim Zetter of Wired noted that a September 2012 study from DuoSecurity found that a majority of Android devices sampled in the study had unfixed vulnerabilities, despite the fact that Google had issued patches for the problems.

The truth of the matter is that manufacturers and wireless carriers are more interested in releasing new devices than fixing older ones. Sogohian pointed out that carriers and hardware makers blame each other for the delays and in the end consumers are left with an outdated and vulnerable device.

“You don’t need [a zero-day exploit] to attack most Android devices if consumers are running 13-month old software,” he said, adding that it is time for carriers to either accept responsibility for the devices they sell or grant Google the same control as Apple.

The analyst concluded by explaining that a solution will likely never be found unless the government steps in.