Android security has multiple layers
Hearing that your phone might not have the most recent Android security patch is upsetting — and it should be. Android's monthly security patches absolutely do matter. But they're also a single part of a much bigger Android security picture, one in which no single layer by itself is typically a make-or-break element.
Much of Android's security is at its core, with factors like the aforementioned sandboxing along with the platform's permissions system, encryption system, and Verified Boot system. These are the types of areas we see improve with OS updates each year (like with Oreo in 2017 and Android P now — a perfect example, as I've said before, of why OS updates unequivocally matter). Even by themselves, they make most types of truly damaging "infections" incredibly difficult to achieve.
Then there's Google Play Protect, which continuously scans the Play Store and your actual device for signs of suspicious behavior (and remains active and up to date independently, without the need for any manufacturer- or carrier-provided rollouts). And yes, that system does occasionally fail, but (a) that happens far less frequently than Android security headlines would lead you to believe — more on that in a moment — and (b) such constant challenging and adaption is an inevitable part of any security system.
Beyond that, Chrome on Android keeps an eye out for any website-based threats, and Android itself monitors for signs of SMS-based scams and warns you if any such signals are detected.
