Handset vendors and carriers push security patches routinely (though not commonly, the sandbox architecture makes it a lot less needed than on a desktop OS). It's OS upgrades that are slow. Holes get closed.
You distinguish between security updates and OS updates. I'm not aware of any difference, an update is an update. I've never seen an OTA update that wasn't a point release. How are these deployed differently?
The article links another article which shows, graphically, how long a number of popular Android phones were getting updates - including security patches. According to it, Android users are lucky to be getting updates after a mere 10 months. Including security patches. And that's assuming you buy the phone immediately after it hits the market.
There are many, many unpatched vulnerabilities on Motorola Milestone XT720 (and many others). Google doesn't even release security patches for old releases (until recently)--their opinion seems to be that all manufacturers should update to Gingerbread or whatever the latest OS happens to be. Google finally seems to have pulled their heads out of the sand or stopped humming with their fingers in their ears recently and made security point release for Froyo a few weeks ago that backported some security fixes that had been in Gingerbread for a long time, though.