Except that a huge chunk of Android CVEs I've seen are related to vendor code which does not get updated in custom ROMs either.

And those are the painful ones, since drivers have kernel access. The security situation on Android is really less than ideal :/