The vulnerability is still a real concern: even if some phones are patched, it’s easy enough to detect the phone model through browser User Agent and then proceed based on whether the phone is vulnerable or not. And since the vulnerability is present in Android 2.3, which millions of phones are still running, there’s still a lot of targets out there. If you’ve got an Android phone, the easiest way to mitigate the risk is to install another dialer: if someone’s trying to hijack your phone you’ll simply get a “Complete Action Using” dialog.
Again, most Android enthusiasts have big complaints about the way Android is updated. Even if it’s a vulnerability in Android itself, the patch can’t be pushed out unless your manufacturer patches it in their build, and your carrier pushes it to your phone. Beyond having the newest and best software, exploits like this are why having all phones up-to-date are important, and with the current Android supply chain, it’s simply not possible. Maybe this incident will be a wakeup call for Google that Android upgrades need upgrading.