Android is unpatched. Worse, those inconsistent versions are even more inconsistently patched -- you can have different patches (or none at all) applied from one carrier/manufacturer/model combination to the next. By contrast, Apple releases OS updates and patches to all devices across all carriers at the same time, typically covering every model released in the previous two years. RIM's product portfolio is in between, with different OSes for different hardware generations and variable patching schedules, but not as bad as for Android.
The bottom line for IT is that there is no "Android platform" to manage. Although Windows is as susceptible to malware as Android, IT at least knows that OS patches from Microsoft apply to all PCs from all hardware makers -- and IT has the power to roll out the patches at once. It's not the case with Android, leaving IT with no control or even consistency.
But none of that matters to users, and as the BYOD phenomenon has become the norm at most companies, saying no to Androids while saying yes to iPhones and BlackBerrys is a losing strategy. (And saying yes to iPhones and BlackBerrys is a rational strategy that you can't undo.)
What IT can do to reduce the pain
Given the situation, here's what I advise IT to do:
Insist on basic EAS support. Android 3.x tablets and 4.0 devices (both smartphones and tablets) support EAS policies relating to passwords and on-device encryption that is close to what iOS provides, as do the 2011-model Android 2.3-based smartphones from Motorola Mobility and the Samsung Galaxy II S and Galaxy Note smartphones. Tell your users to favor these devices. Also, help them understand that some devices running Android 4.0 will still not support encryption due to hardware limits, so they need to be sure the hardware they choose support your requirements, which you should post. (It's also good to provide a list of recommended, vetted devices.) Deny access to those that don't support your EAS policies. MDM server tools like the new MobileIron 4.5 can manage the various flavors of Android devices from a common set of EAS and additional policies (which also apply to iOS), detecting noncompliant devices and regulating their access accordingly.
If your primary use case is email, you can tell users of other Android devices to opt for NitroDesk's TouchDown app, which creates sandboxed container for corporate email, contacts, and calendars that supports EAS password and encryption policies similar to Android 3.x and 4.0. Some MDM clients, such as those from AirWatch, MobileIron, and Sybase, offer similar sandboxes for corporate services, as does the forthcoming Divide app from Enterproid.
Insist on antimalware sofware usage -- when you can. Buying antimalware software for iOS is a waste of money -- but not for Android devices. Given how malware-ridden the Android Market is and how big a target it is for criminals, I don't believe you have a choice other than to require the use of antimalware software. But there's a caveat: There's little actual antimalware software to deploy; of the major vendors, only McAfee offers a client app. Symantec has no antimalware software for Android yet, but is working on it.