In Daniel J. Bernstein's "Thoughts on Security after Ten Years of Qmail 1.0" (http://cr.yp.to/qmail/qmailsec-20071101.pdf), he points out that "chasing attackers" is more of a distraction than a solution to security problems. As he writes, security patches "do nothing to fix the software engineering deficiencies that led to the security holes being produced in the first place." Instead, Dan thinks the best idea is to minimize the size of the trusted code base-- i.e., the code that needs to be audited for security bugs.
Android certainly seems to have minimized the trusted code base, compared to a typical Windows or Ubuntu install. Since most software is Java, there are no such things as buffer overflows, return-to-libc attacks, and so on. There is a better security model-- for example, random applications can't just read and write the user's data unless they've specifically been given that capability. Another advantage Google has against malware is that it can remove known malware from Google Market, which is the only way that most users get their applications.
Of course, since Android now supports native code, hackers can attack the kernel API. I kind of hate to admit this, but that API might be one of the more vulnerable parts of the system at the moment.
One thing that annoys me about Android is that you can't install an app without granting it all the security capabilities it wants. This has led to me uninstalling things like the Pandora radio application, because it just wanted too much power.
A lot of people think that the computer security battle has more or less been lost on the desktop front. Developers keep adding features, which also add security bugs, and hackers keep finding those bugs. It's a never-ending cycle which will never lead to real security. In order to really start winning, we need to change the game so that new bugs get put in at a lower rate than they're discovered. Higher level languages and better security models are a good start. You don't have to constantly patch applications and libraries unless they're part of the trusted code base.