In some cases, the failure is a simple one: they're not really scanning app code. AV-Comparatives found that are just using app whitelists or blacklists, and sometimes very broad ones at that. They may allow all apps whose package files start with "com.instagram," but it would be trivial to create rogue apps that used a variant on that name.
The apps that passed muster came from familiar security brands, with big names like AVG, Kaspersky, McAfee and Symantec catching everything. Those that fell short had a familiar pattern, however. Many of them were written by amateurs, cookie-cutter apps or from companies that clearly aren't focused on security. Anti-malware apps from 32 of the vendors in the test have vanished in the two months since the test took place in January.
It's safe to say this serves as a reminder to stick to antivirus tools from companies with solid track records. However, this also illustrates the challenge Google and other store operators face in screening apps. They can verify that the apps aren't causing harm to users or violating the law, but they can't enforce a baseline level of quality needed to keep your phone safe.