I've used, and continue to use, Linux for a long time, and am very happy with it. Great for my desktop/laptop (Debian, i3).
That said...it seems like it was a bad choice for these devices. It has no stable ABI, and not even a stable API (famously --- you can read the good reasons why this is the case). If a stable API/ABI was used, then I would think it would be trivial to keep up with security updates --- just run a mainline kernel with a few custom drivers for cell/touch/GPU/whatever. Those will need to be kept up with security updates, but any core kernel security would be automatically handled just by running recent kernels.
Perhaps I'm missing something obvious --- probably just that everyone decided on Linux, so various vendors already have good Linux support (if only for a 5.10 or some other ancient kernel...).
You might be surprised to learn that the Linux kernel as employed in Android does actually have a stable binary and programming interface. It’s called the Kernel Module Interface or KMI, and Android fixes the tool chain and symbols that may be used. It’s part of the effort to move devices to generic kernels.