Google and the company that made your phone are tasked with keeping your information secure, but so are you. Doing your part is easy enough; be diligent about the things you download and install, and make sure you have a secured lock screen with a strong backup password or PIN.
Google and the company that made your phone don't have it nearly as easy. They both need to make sure bugs and vulnerabilities are found and fixed, and the relevant software updates are filtered out so you can install them.
How this is handled might be worth thinking about when you decide which Android phone is best for you.
Security: Doing your part
There are three things you can do to make sure your phone is as secure as it can be. Thankfully, none of them are hard to do!
Start with your Google account. You need one to use all of the Google services that come with your phone, like the Play Store or Google Photos. Ensure that your password is strong (if you're not sure, you can change it here, and Google will help you pick a good one) and that you have enabled two-factor authentication (2FA). 2FA seems inconvenient, but it's really not. Once it's set up, you'll barely notice you're using it.
The next step is to make sure you use a lock screen on your phone. Setting one up is easy enough, even if you skipped through it during the initial setup of your phone. You'll find everything you need in the settings app. Make sure you pick a password or PIN that nobody can guess easily. You can also enable biometrics like a fingerprint sensor to make unlocking your phone even easier.
Finally, be careful and read before you tap those "yes" buttons. Websites can get your phone to download things automatically, but they can never automatically install anything without your consent. Make sure you trust everything you install, and you should be fine.
Security: Google's part
Android is a giant open-source software project, but it is tended to by Google. That doesn't mean that Google writes all the software in-house; only that it's their job to incorporate everything together in a way that works well and is secure enough to use on billions of phones around the world.
Security starts with every release of Android, and features that make our phones safer are built into each new version. Android, as written with no modifications or user changes, is one of the most secure operating systems available to consumers. The thing is that oftentimes nobody wants to use Android as written, so changes have to be made very carefully.
There are a lot of smart people who want to find a way to bypass all the security features in Android, and new ways to defeat them are being found all the time. This is true for every piece of software — flaws and bugs are inevitable. This is why security patches are important. Google needs to address bugs and exploits and then implement fixes that don't break something else. Once done, these fixes need to be sent to companies that make phones because they are the ones who build and tailor Android for each device.
Security: Phone makers
The company that made your phone has the most difficult task when it comes to keeping it secure. Google doesn't make Android for all the phones that use it; it allows and encourages phone manufacturers to customize Android to meet the needs of their customers. Google does this by providing the Android source code for free to everyone, including companies like Samsung or Motorola, and even a separate division inside Google that makes Pixel phones and tablets.
With this source code in hand, a phone maker will usually change much of it before it builds the Android operating system. When you hear something like One UI, it's referring to a distinct version of Android built by Samsung for its phones and tablets. This system puts much of the support — including keeping things secure — on manufacturers.
A phone maker needs to take the code for each version of Android and incorporate their changes and improvements without affecting the baseline security Android itself offers. Then they have the difficult task of adding their services while making those are also secure. Finally, some companies even add extra security features to Android, like Samsung Knox.
When flaws and exploits are found and merged into the Android base, the phone maker has to do the hard work of adding those changes into their version of Android, then work with carrier partners and try to get them sent out to everyone. This is the really hard part. In a software project as big as Android, even the smallest change can have a ripple effect and break something else. Phone makers have to do the coding work and then take the time to rigorously test everything before any changes get sent out to users.
It takes a village
To make sure an Android phone is secure and stays secure, all of these things need to work together. The hard work done by Google or Samsung (for example) means little if you leave your phone unlocked all the time, or if you install any random download from the internet. Conversely, your diligence doesn't mean you're protected if you don't have secure software to start with.
Thankfully, Android has matured, and most of the time, these three things work as intended. You probably will never have your phone "hacked" as long as you do your part.