If I was a betting man: some smaller fish in the Android ecosystem practiced exquisitely terrible key management outside an HSM, got burnt, and will have to slip KPMG or Deloitte an extra big kickback if they ever want to see a clean SOC 2 again.