Software is shipped with known bugs all the time. There have even been recent articles on LWN about the kernel devs having this type of debate and what do to about it (lack of testing vs moving forward being the main argument, IIRC - not all that different than this discussion).
In this particular case, when was the flaw discovered in the underlying library, and when was this known to Google and where was the phone in the process? Given the lead time a lot of these products require (ship software to manufacture, start making and loading them onto phones, ship phones to retailers, etc), you could easily be talking months. So it's highly likely that it was not possible to actually fix the shipping Android code.
So, how long did the update process take: 2 weeks. Which, as I was agreeing with dw, is not an unreasonable amount of time in order to make sure that the new version of the library doesn't break anything (I expect regression tests on a web browser can take a while, much less on an entire mobile phone) and from there, push it through the whole carrier/telco procss.