Okay, but Google certifies phones which are not updates for the last several years.

They can be trivially rooted, then they spoof the signature and get a pass in Integrity while being wide open for malware (or cooying the ID, ID presume).