I don’t know if Jolla can be blamed directly. Android is already responsible for its own possibilities or bugs. You can only protect yourself if you are not using Android. Personally, it is unclear to me how Android patches are handled by Jolla. Are all patches being applied? Only a few CVE numbers are listed in the SFOS change logs compared to the Android logs. That is lower compared to the dozen of CVE reported by the Google monthly patches.
Whatever, using the Dalvik is at your own risk.