Linux is a very safe and very unsafe OS at the same time. In the hands of a skilled system administrator (or even just a skilled user), you can build a bunker. However if someone builds his own system and doesn't pay much attention to security, then it is an open door.
It is well known that Android suffers from some amount of fragmentation (not that much actually, since the majority of the user base is spread over just 3 versions). It gets worse when you take into account all the bloat ware put on the phones, since that puts the task of keeping things safe on the manufacturers.
So in the end, I'm not surprised. However it would be interesting to see some statistics for e.g. the Galaxy S3 separately, to find out whether an (almost) up to date Android phone from a flagship manufacturer is as vulnerable as a cheap outdated phone.