It's not surprising that any platform have vulnerabilities. The more famous a platform is, the more scrutinized and the more vulnerabilities it has. The problem is not with the open source nature of Android which enables the vulnerabilities as malicious developers could easily get their hands on Android's source codes and write malicious applications.
The problem has many complications in my opinion. Firstly, there is no known incentive for hunting bugs like what Google Chrome browser has. Despite the sandboxing and permissions that Android have, people simply don't even know anything about permissions and they simply agree to allow all required permissions for the app they wanted to install regardless of the consequences. Google needs to make the permissions much simpler for lay people.
We have no idea about the actual working situation when a piece of application is submitted for review before uploading to the Market Place but from the current situations, there are tainted applications that have made it pass to the point it gets uploaded onto the Market Place successfully and pass inspections by Google.
The fragmentation of the Android Market Place is another huge problem. Other Market Places may have less stringent to no checks on the applications and some Market Places may not be safe at all and have other unknown motives. Google need to address this issue by releasing an official API to access it's Market Place, set known standards for checking of applications and to approve each Market Place as being standard compliant to it's standards. Releasing a Google Market Place API would appease the user's frustration of not being able to write applications to access the Market Place for other device platforms and therefore, may slow down the amount of new and inexperienced (and even potentially dangerous) Market Places from appearing.
There are many more problems, known or unknown. The above are some well known problems that I have touched on.