The problem is you're running into device security vs. device capability. If you can downgrade your device, then so can someone else. Take the standard example of jailbreaking: New iOS releases generally (sans bootrom bugs) fix security bugs, and definitely break jailbreaks.
If some large organization wants to monitor what you're doing by installing malware, they need to be able get the older OS installed. Assuming you're a sufficiently value target (human rights activists, etc), it can be worth them spying on you to get your device passcode, and then downgrading and installing malware. If it's not across a major version I suspect that the victim would not know.
Part of the attack model the companies like Apple and Google have to consider is direct physical access to the device. Neither company considers it reasonable to say "once someone has physical access to your device it is game over".
If some large organization wants to monitor what you're doing by installing malware, they need to be able get the older OS installed. Assuming you're a sufficiently value target (human rights activists, etc), it can be worth them spying on you to get your device passcode, and then downgrading and installing malware. If it's not across a major version I suspect that the victim would not know.
Part of the attack model the companies like Apple and Google have to consider is direct physical access to the device. Neither company considers it reasonable to say "once someone has physical access to your device it is game over".