Android, as distributed, isn't really "open source" in the way you seem to be defining it already: It contains proprietary packages which contain spyware, and OEMs are beholden to Google's requirements with regards to what they can and can't do with the platform. And it is possible for something to be open source (i.e., the source code is public), and still only permitted in an unchanged fashion.

As it is today, Google requires Android devices pass the CTS, or Compatibility Test Suite, in order to be eligible to have their proprietary apps, like the Google Play Store, on the device. In the future this will likely simply be another requirement to pass, that Google can push their own updates to the OS layer.

The reality is, the idea that someone like Google can write code, and then be unable to push security fixes to it, is patently insane. In 2017, this is completely unacceptable. The idea that an OEM or carrier should be responsible for, or able to interfere with security updates to the OS developer's code is simply not okay.

I am a big fan of open source software and customization, but the current situation, where 0.5% of Android devices run the latest version of the OS, is completely unacceptable, and any compromise or cost required to fix that is justified.

There's a reasonable chance Android will lose some OEMs over the change, and that is fine. Google needs to focus on security over profit here, and accept that they might lose a little market share to do the right thing and protect their customers' safety.