For Android < N, if you install a custom CA, you'll get a permanent "Network may be monitored by an unknown third party" notification that cannot be dismissed and stays across reboots. Android wasn't really "insecure" in that regard beforehand.

Your point is valid, but I think it's a negligible improvement that comes in hand with severe implications for privacy research.