If you go out to a shop and buy 100 Android phones, at least 99 will be running outdated OS versions with known security issues and no updates available.
Where I am (the Netherlands), Android is way more popular than iOS--I'm not attaching value judgement to popularity or otherwise, nor am I particularly doubtful of your claim that the average (cheap) Android phone is running an outdated version.
But if that's the case then what is going on?
Are they not juicy targets for hackers? (tons of personal information, botnet possibilities, seems valuable to me)
Or are they in fact being hacked quietly and we're not hearing much about it? Is everyone's cheap phone already part of a botnet and nobody realizes?
Is it perhaps that the exploits require physical proximity that hackers don't deem worth the risk?