Well, with the webview bug one could mitigate - don't use the built-in browser or apps you don't trust and don't go to websites you don't trust with your phone (which is actually always good advice.) The fix was also in the next version of Cyanogenmod - so, theoretically, you could update your phone although most people didn't. Google's reaction to this was bad - basically a "meh" - which is why it took so long to fix.
And with the gnuTLS bug I guess it should be: "never trust code you can't see or can't understand." Or, cynically: "never trust code."
I can't see Samsung coming out with a fix for this bug for any existing phone - I guess the upside is that it can only be exploited through the tower (or the fake one someone sets up) so it's difficult (at this point) for any non-governmental actor. Easy for the three-letter organizations though.
The alternative is trusting whatever mega corporation who is trying to sell you units to do right... in secret.
I think I'm going back to a dumb phone.
I'm hoping the Ubuntu phones are better. I'm not very hopeful though.