Android Central does a great job breaking this down and avoiding the scare tactics that some other journalists are using to describe the situation. Understanding WebView and Android security patches Understanding WebView and Android security patches | Android Central

Bottom line. Google has never directly patched exploits on OEM devices before (remember heartbleed, motochopper etc) it just so happens that they have the ability to fix this one on their own hut only for Kitkat and later. The exploit also only affects webview which is part of the stock browser and other Apps which push internet content without being a browser. Chrome has there own Blink engine which they have full control of (exploits like these were one of the reasons Google built their own service)

At the same time, I don't see Asus jumping in to push OTA updates to old devices and the exploit is still a serious one.