Under the terms of the deal HTC admits no guilt, but the list of things that it has agreed to do suggests that there wasn't much security work being done by the Taiwanese manufacturer. The full settlement gives the company seven core tasks which you would have thought it would have done already.[blink] [blink]
These include actually assigning someone in the company to be responsible for security, doing a risk assessment on its current coding practices and handsets, designing safeguards against flawed code, and training in-house staff on good security practices, such as where to get updates and patches.
You wonder just what they were doing about security. Actually, you don't (well, I don't).
It goes without saying that any of all y'all with HTC cell phones should upgrade to Android 4.0, stat.
NOTE: This agreement concerns software created by HTC for their handsets, not Android in general. However, I have to say that Apple has a much cleaner update mechanism for iOS - you get new security updates via iTunes, directly from Apple. With Android, the flow is Google fixes Android, then (maybe) the handset vendor updates the software for the phone, then (maybe) the carrier makes the fix available. It's a clunky process with a lot of failure points.