All software has security vulnerabilities, but organisations have vastly different attitudes toward fixing vulnerabilities as they are identified, and potentially different capabilities when it comes to fixing vulnerabilities in a timely manner.
But Google will fix the security flaws automatically.
You have to compare this device to the typical home router, which is NEVER updated.
And even if you do run an Open Source firmware, you have to make sure it's kept up to date.
Please don't bundle Android and the rest of Google software. They are two different teams with two different philosophies, and one team doesn't like to have it's reputation hit by the other teams faults.
Remember Android wasn't originally designed by Google, and many of it's security design decisions and culture were inherited.
Unfortunately when it comes to data and cloud companies these days, that's a little like saying you'd trust Blofeld more than Dr No because he's a more competent villain.
Although I'm sure you're using DD-WRT or something...