We recently discovered that Android devices from multiple major brands sign APEX modules—updatable units of highly-privileged OS code—using private keys from Android’s public source repository. Anyone can forge an APEX update for such a device to gain near-total control over it. Rather than negligence by any particular manufacturer (OEM), we believe that unsafe defaults, poor documentation, and incomplete CTS coverage in the Android Open Source Project (AOSP) were the main causes of this issue.
I have the December 5 security patch. Is there still a chance that my device is not secure?
Give the article a read. Your answer is right at the top.
I asked after reading the article. It mentions December 5 but also has bits about:
It still leaves an ambiguity if your device is properly patched, today January 31.