The issue for HTC revolves around carrier-branded phones, mainly because Android's hardware partners take Google's security fixes, integrated them into their own software build and then rely on carriers to approve and push the updates.
While the reasons are real and make sense, they don't help HTC's cause in this specific case, mainly because the scope of the security issues are potentially massive.
Consumers don't want to hear blame being passed along from handset maker to carriers. They simply want their data, privacy and devices to be protected. And they (rightly) feel that the company that sold them their smartphone or tablet be responsible for at least part of that.
Google is doing its part and frankly, that's where the solution starts. Now it needs Android partners to step up to do theirs.