Most of the mobile devices sold in the US have to wait a long while for security updates to be developed and deployed, and that's just if you're lucky enough to get one. Most phones don't come with any guarantee of security updates, and government regulators are starting to wonder why. The Federal Communications Commission (FCC) and Federal Trade Commission (FTC) are on the case.
The agencies are conducting separate but parallel inquiries into how mobile device makers manage important security updates. As more people use smartphones as their main computing devices, gaps in security are increasingly problematic. The FCC specifically cites the Stagefright vulnerability as an example of important patches that aren't always deployed to everyone in a timely manner (or at all). The agencies worry that older devices may be left behind too quickly and the delays for devices that do get patches are too long.
According to the FTC, eight companies have been ordered to provide information for the study including Apple, Blackberry, Google, HTC, LG, Microsoft, Motorola, and Samsung. They are being asked to reveal data about how they decide whether or not to patch a device. The agencies are also interested in what devices these companies have sold in the last few years, and which (if any) of them have unpatched vulnerabilities.
Google started pushing monthly patches in the wake of Stagefright, and a few OEMs started doing so as well. However, commitment to deploying patches across the industry has been spotty at best. It's nice that regulators are interested in strengthening security in consumer devices, but the glacial pace of these agencies means it will probably be a long time before anything comes of it.