Andoid Security in a Nutshell
One of the things I like about Android is the application security. I've not used so cannot compare to the iPhone.
On Android, applications are each given their own user account, and are restricted to that user account. An application can only access it's own storage, and the SD card (it can't modify Android short of creating icons in the Launcher). This is why you can't install Apps to SD officially, as the SD card needs an ext filesystem to support the permissions to restrict application access.
If an application want's to use other parts of the phone, camera, contacts, SMS, internet, it needs to specify it in it's manifest file, which the user is then informed about during install. So if you're installing a new software keyboard that wants the 'internet' permission, you have the chance to think twice. This does of course require the capability of thinking.
I have often thought it needs to go one level further, and give you tickboxes to select which permissions you want an application to have, so I could install the software keyboard, without giving it Internet access.
Further, you need to specify in settings whether you can install from an APK (Android Package) directly, without that ticked, you cannot install software from 3rd parties. Ticking that gives you a nice warning about untrusted applications -- not that market applications are any more vetted.
You are right of course, being able to install *anything* does bring with it a huge risk over installing only Apple tested applications, but it does also provide greater flexibility of the platform and IMO is worth it.
Not being able to install anything is the only real reason I have for not wanting an iPhone, I'm building software for my parents company to monitor their packing machine remotely, the software is specific to the company, and I can install it on each device. Would I have to submit the software to Apple and iTunes to distribute this for an iPhone?