Hey ... I like the idea of a CP/M phone :-)
(hmm ... a few early versions of Turbo Pascal came
with CP/M-tweaked versions - ideal for the project)
Android has had security issues - but then everything does.
It uses a Linux kernel, but almost everything on top of
that is custom. A good feature is that apps are run in a
"sandbox", largely isolated from the rest of the system,
but even that has been exploited to fool users/anti-virus
that an infected app is "safe". Usually apps are only
checked once for bad behavior, but time-delayed evil can
be hidden inside.
Modern Android seems kind of 'anal' - always asking
for user permissions for things - but 'anal' and
actually 'secure' are not always the same thing.
We remember Winders Vista - where the MS 'cure' for
all its security holes was to Make It YOUR Fault
by allowing apps and actions (or just disabling
that horrible stuff entirely).
The danger from Pegasus and the like kind of depends on
who you are and what you do. Normally Pegasus has been
used by governments to spy on enemies/rivals (and sometimes
its own). In theory it could be widely deployed, but that
would subject it to more detailed analysis and soon it
could be detected/blocked easily. Narrow deployment
extends the useful lifetime of spyware. Pegasus is
now too "exposed", and thus probably at end-of-life.