One of the greatest challenges in maintaining a secure Android device is the plethora of different versions of Android available. Each vendor has their own customizations of the operating system, and will release their version of any updates weeks or months after Google makes them available (if at all). The Google Nexus line of devices are the answer to this challenge, as they will only use the basic / vanilla version of Android, and are always the first devices to have updates available. The drawback of using the Nexus devices for some users is that they lose the pretty / ease of use apps that can come from some vendors. I personally prefer simplicity in my device, though there are some features that I greatly appreciate in some devices (see the KNOX page for one example).
Another major challenge is in managing applications (apps). There are, as of the time of this writing, very few controls over what information and capabilities an app can access. When you install an app, it asks for permissions, and most people will grant permissions without taking into consideration the privacy implications. Why would a flashlight app (that turns on the camera flash) need to be able to access your phone information, contacts, and text message? It shouldn’t, so any flashlight app that asks for these permissions should not be installed. Unfortunately, many mainstream apps (social media apps are most notable for this) ask for far more permissions than they should have – and users have no choice but to allow access if they want to use the apps. Tighter controls over permissions are likely to come in a future version of Android (and already exists for those who have rooted their device and installed a permissions management app).
For the moment, the best method to keeping an Android device secure is not to install apps indiscriminately, and make sure to read and think about the permissions that you grant apps as they are installed or updated.