You can now see why BlackBerry has been devoting so many resources lately toward making Android more secure — it’s clearly an area that needs a lot of work. Via ZDNet, researchers at the U.K.’s University of Cambridge recently conducted a study (PDF) that was funded partially by Google and revealed that the state of security on Android devices is a complete horror show.

MUST READ: iPhone 6s Plus vs. Galaxy Note 5: Real world performance test (it’s not even close)

How bad is this? Because of Android’s highly fragmented distribution and because third parties are responsible to delivering critical patches to their devices, the researchers estimate that 90% of Android devices right now are exposed to at least one critical vulnerability.

“The difficulty is that the market for Android security today is like the market for lemons,” the researchers explain. “There is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive security updates, and the customer, who does not.”

Unsurprisingly, the study found that Nexus devices are the most secure Android devices around because they run stock Android and don’t have to rely on manufacturers or wireless carriers to issue patches in a timely fashion. When it comes to third-party OEMs, LG-manufactured devices received the best scores for security, although that’s likely in part because LG has traditionally been a major manufacturer of Nexus phones. Following LG, manufacturers Motorola, Samsung, Sony and HTC all trail by considerable margins while smaller Android manufacturers that mostly serve emerging markets fare even worse.

“The security of Android depends on the timely delivery of updates to fix critical vulnerabilities,” the researchers conclude. “Unfortunately few devices receive prompt updates, with an overall average of 1.26 updates per year, leaving devices unpatched for long periods. We showed that the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities.”

Check out the entire study for yourself here.