The problem is actually different
Modern "smartphones" are designed for a business case that is incompatible with security. They are built to sell apps.
The problem with this is rather simple, apps come from a number of untrustable sources, usually only in binary form, and some even deliberately malicious. The proposed solutions for this problem are as follows:
1. An Appstore with censorship: In theory some Authority determines what software may go in, and what software must not go in. In that theory there is no other way to install software. In reality commercial pressures on that Authority mean that malware (by some standards) may pass, while perfectly harmless software gets filtered out as it expresses different opinions. So a large amount of people root or jailbreak their devices to get at least some sort of control over it. Since that wasn't seen as a possibility in the security concept, there are no other meaningful precautions.
2. Sandboxing: In theory you would simply sandbox an application and restrict it's abilities that way. Unfortunately that doesn't work. Any app can just refuse to run if it doesn't get the access it wants. Since the user wants to run that app, those rights will be granted. Even if you solve that problem by providing "fake rights" to that app, sandboxes are by no means secure. With Rowhammer we have learned that even allowing memory accesses to restricted areas can lead to sandbox breakouts.
So what can we do against it?
First of all we need to ditch the idea of installing random software from some app-designer. Installing an app should be something rare, not something you do because a billboard tells you to do. Maybe it should even only be possible by holding down some hardware button inside of the device.
Then we need to greatly simplify those operating systems. Those systems should be roughly at the same level of complexity of Windows 3.1 or a task switching DOS. That level of complexity still can be managed and you might even get to a point where a typical user will not notice a bug. Then you can get rid of the idea that software updates have to be something that has to be simple.
The main problem is that people want web browsers and that web standards are already to complex and are on the way of becoming even more complex. Today a web browser is probably the most complex piece of software you have. Often it's more complex than the operating system kernel it runs on.