The terms don't require vendors to supply every update, but they aren't allowed to slack for long. They have to supply "at least" four updates in the first year after a device's release, and provide an unspecified number of updates in the second year. They also can't afford to let security go neglected for very long -- at the end of each month, companies have to offer protection against all vulnerabilities identified over 90 days ago, no matter how many updates they've issued.
There are teeth behind the agreement, too. If a company doesn't honor the requirements, Google can refuse approval and effectively block the sale of a device.
In a response, a Google representative didn't directly acknowledge the contract but did say 90-day patches were a "minimum security hygeine requirement" and observed that "the majortity" of more than 200 Android devices had security updates from the last 90 days.
It's not certain that you'll get the updates in a timely fashion. You'll still have to deal with carrier testing delays in some cases. Even so, this could help address the bad habits of those Android makers who either deliver updates sporadically or reserve fixes for certain models. Now, even a modestly successful device will have to be relatively secure. While the policy won't help much if there's a very recent security flaw, it should set a baseline to prevent particularly serious lapses.