Honestly, if it's true that the Android security model allows an OEM-signed app to escalate privileges, Google should always be monitoring OEM-signed apps on the Play store very carefully. There shouldn't be more than a few hundred of them. Can't be that hard.
And when installing a OEM-signed app, instead of the normal permissions dialogue, there should be a giant red warning that says the app can basically root your device. If the OEMs don't like it, they can set up a second key pair with no privilege escalation capability to sign updates for most of their apps (the ones that don't need elevated privileges).
Easier than that. Only the vendor's publisher account should be allowed to sign with the vendor's keys. Implement the same policy for everybody, so if one publisher uploads a package signed with the same keys as another, the original publisher should be notified.
And when installing a OEM-signed app, instead of the normal permissions dialogue, there should be a giant red warning that says the app can basically root your device. If the OEMs don't like it, they can set up a second key pair with no privilege escalation capability to sign updates for most of their apps (the ones that don't need elevated privileges).