First, you aren't talking about the average consumer anymore. If we're talking flashing operating systems, sideloading kernel updates and boot loaders in order to feel secure about your mobile device, then an older, vertically supported iOS device is probably a better bet.
Secondly, AOSP isn't forever. After your carrier/device-manufacturer drops support, Google isn't that far behind. If you're not getting AOSP drops for your device that work with device drivers then it's probably dead. There are a few brave souls willing to port modern Android to no-longer-google supported devices, but I wouldn't call that sure-fire security.
Thirdly, many AOSP derivatives and communities have niche motives that don't really align with the average user. New OS features, experimental "battery saving" kernel hacks and user-space root are commonplace where they really shouldn't be for the average, or arguably any, mobile user. Often devs get a new device and the community quietly moves on, dies, stops providing.
Mobile software is really in a sore place right now overall and neither duopoly is 100%. The incentives aren't aligned to the consumer.
Though untested, many think the BSD and similar licenses provide an implicit grant that can't be strategically revoked. Future case law to the contrary would make a lot of open software unusable or at least a legal minefield. Providing an explicit grant with explicit conditions of termination makes it easy for Facebook to selectively restrict use of anything that might be under patent in ANY of their projects. At best it's not in the spirit of FOSS and at worst it asymmetrically weaponizes open licenses.
It's true that, practically, most companies won't ever have to worry about Facebook infringing their patents, but I think it's garbage on principle to reserve first-strike litigation while making it impossible for someone else to do the same and use software you've made available under a supposedly permissive license.
I'd be with you, except for Android's planned obsolescence. The reliance on third-parties to provide at most ~2/3 year security update paired with a dated and forked version of the Linux kernel gives me pause.
Secondly, AOSP isn't forever. After your carrier/device-manufacturer drops support, Google isn't that far behind. If you're not getting AOSP drops for your device that work with device drivers then it's probably dead. There are a few brave souls willing to port modern Android to no-longer-google supported devices, but I wouldn't call that sure-fire security.
Thirdly, many AOSP derivatives and communities have niche motives that don't really align with the average user. New OS features, experimental "battery saving" kernel hacks and user-space root are commonplace where they really shouldn't be for the average, or arguably any, mobile user. Often devs get a new device and the community quietly moves on, dies, stops providing.
Mobile software is really in a sore place right now overall and neither duopoly is 100%. The incentives aren't aligned to the consumer.