Some Android device makers are lying about security patch updates

"And while it is very possible that some devices tested by SRL aren't Android certified and that some devices may have just had their vulnerable features removed, it's also possible that there are some instances in which an OEM said that they had updated a phone with new security patches when they actually hadn't."

I suppose removing vulnerable features could be considered an update. I wonder how that is done?

More reason to go with iPhone.