How a few legitimate app developers threaten the entire Android userbase (Ars Technica)

I do agree with you, that rooting doesn't solve all of the security issues, although I do think that it can provide ways to work around some of them. But my point was that they should in fact be regarded as seperate issues.

I would not agree that only a tiny number of users can make use of rootability. There are apps that require root access for uses which can be interesting to larger fractions of users like advanced call blockers, Titanium Backup or crapware removal. Besides, it's a freedom issue, so there is no justification required to demand rootability.

I agree that accountability can be a difficult issue. It might be more helpful to try to push vendors of smartphones and of parts like SoCs, radios, etc. to mainline their drivers, so that providing upgrades becomes much easier and less expensive overall. Also that would make fixes available to everybody. If they'd also manage to seperate their "skins" from the OS, we could get seperate:
- kernel updates, which would require hardly maintenance apart from shared driver maintenance through the kernel community and a phone-specific config-file that specifies the modules
- Android updates, which could be gotten directly from AOSP
- TouchWiz/etc. updates, which could be delivered by Samsung as just another apk that serves as an implementation for a Launcher

Of course this would work against the vendors tactics to lock users into their platform and to force them to buy new phones, but these tactics justify boycott anyway.