This is the kind of thing where it is not totally crass to say, "well duhh." If 94% of Android devices are not running the latest version, then obviously 94% of Android device users are exposed to known security exploites every day because the device vendors refuse to provide security updates, even to things like SSL libraries. There has to be something very wrong with the system of industry regulation that allows them to get away with this for so long. Can you imagine if PC computer vendors did that so no one could apply Windows updates?