Taking the chart into account there, given 60+% are on 2.3.3-2.3.7, I'd say it isn't as bad as it is made out to be. 3.x was made strictly for tablets and 4.x is still fairly new and for hardware requirements won't see the large majority of existing phones. Sadly Motorola is leaving out a TON of perfectly capable phones (such as the D3) from getting ICS, but that is the beauty of loading your own roms so people actually CAN stay up to date if the manufacturers are too lazy to. Even if the bootloader is locked, as long as it can be rooted you can load your own rom. Only catch is you can't update the kernel or radio so if the security leak is there, all bets are off until an official update. But I'd bet most of the time it is in the overlying OS and not the kernel or radio.
And FWIW, it is usually not the carrier dictating updates unless it is a carrier exclusive phone. Rather the manufacturer does the updates in most phones in the Android platform.