I am not sure whether my message was clear 
Just a couple of considerations:
- There is indeed always a security bulletin with vulnerabilities found across the source code of Android and other software components, which are both massive. The vulnerabilities are normally having low-medium severity, with rarely a critical bug being spotted. This can be seen negatively, but it is actually positive, in my opinion, that there is such a good interest in security that Android is constantly inspected for that purpose.
- It is true that Android gives a preview of the security bulletin in advance to manufacturers, but that is, as the word says, a preview. A lot of vulnerabilities highlighted in the preview do not receive a corrective patch until the actual bulletin is released.
- (almost) all the vulnerabilities contained within the security bulletins are under embargo until the bulletin is public, meaning that the general public will not know about the vulnerability (thus, potentially exploit it) until it is publicly announced.
- The beauty of Android is its layered architecture, which makes very difficult (and most of the times impossible) to use a single vulnerability to actually reach a malicious goal; normally, a chain of vulnerabilities across different layers is necessary.
The above points are no excuse, just the reality 
I just checked the release schedule for FP4 and FP5 in the last months, and on average we released the SPL of a certain month around 7-8 days after that month has ended.
As I said, the speed-up of the SPL release pace is on our agenda for next year