Security has always been a pressing issue with Android devices. Even though most users won't know (or care) that their phone is behind on security patches, it can leave them exposed to threats. Only a handful of OEMs are known to deliver timely updates, and some companies lie to users entirely.
During the 'What's new in Android security' session at Google I/O, Dave Kleidermacher (who became the Android Security Director in January) mentioned that Google will now require OEMs to roll out regular security updates. You can watch it in the above video (at the 2:14 mark), but here's the full quote:
We’ve also worked on building security patching into our OEM agreement. Now this will really lead to a massive increase in the number of devices, and users, receiving regular security patches.
So what does "regular security patches" mean? At the moment, we can only speculate. Google requires devices in the Android Enterprise Recommended program to receive monthly security updates within 90 days - perhaps the OEM agreement has similar terms. We've reached out to Google for comment.