Android and iOS are entirely consumer focused. Desktop O/Ss, while also consumer based, share the same codebase as their server O/S variants. Windows 10 has the same core code as windows server 2016, Ubuntu has the same code code as Red Hat Enterprise, etc. Even MacOS has roots in BSD. This means there is a lot more scrutiny of the security of those machines.
Android is based on the same Linux kernel that Ubuntu and RHEL use. iOS is using the same XNU kernel that OS X is - and you can go poke around the source of that too, if you want.
https://github.com/apple/darwin-xnuWindows phones... well, both users are probably fine, being a small target set and all. I'm not actually sure what kernel they use on those devices. Windows CE or a stripped down NT kernel, probably.
OS X/iOS local kernel exploits are pretty rare, Linux local kernel exploits exist but are reasonably rare, Windows is actually a ton better than it used to be and has hypervisor based separation for desktop use in certain configurations, so I don't quite see your point here.
More than that, the design and usage model of mobile platforms is fundamentally flawed from a security perspective. Every app you install is collecting information about you and storing that information on remote systems.
Some do, some don't, though it's hard to tell. Fortunately, permissions are getting better, with both iOS and Android allowing you to deny permissions to apps, or (at least on Android) fake them out with false data (though that may be one of the third party forks, I haven't used Android in the past couple years - Cyanogen?).
Often including your actual user data (images, documents, etc.) This means that the potential attack 'surface area' is not just your device, but all the machines that are collecting data on you and the connections made to transfer all that juicy data. This is pretty much your hacker (and spook) wet dream come true. It's the digital equivalent of leaving all your windows and doors open and posting your bank account information on a sign in your front yard with a 'please dont look at this' note.
For apps that upload stuff, yes, but locally, they have far more isolation between application spaces than a typical desktop OS. If something is running as a user on Windows/Linux/OS X, it generally has permissions to just about all the user data. Android and iOS enforce far more separation, and an application can't just go rooting around in the files of other applications.
If you don't want to install applications that upload crap to the cloud, don't install them, or don't give them permissions.
* On current mobile devices, you don't control the device, Apple/Samsung/Google/etc. do. You have to illicitly hack your device to gain that control. This means you have exactly zero security because you don't control the device.
You're aware of the Android malware that checks to see if a device is rooted, and if so, uses that access to gain more permissions and be more evil, right?
Claiming it's "zero security" because the user doesn't have the ability to run any code they want is a nonsense claim. I actually think the whole "open computing" experiment has failed, badly. If a computer can run anything, it'll rapidly end up running malware of some variety or other. Locked down devices running signed code are significantly more secure, because malicious code can't move laterally as easily as on a Windows/Linux/OS X desktop.
ChromeOS is the best model I know of for secure web access, though I'd trust an updated iOS device far more than I would Android or any desktop.