I read a few days ago on a better informed site that Google (which updates Google Play Services) has implemented a fix in their "verify apps" option. All a user has to do is to make sure that the respective option is checked in their settings. In 4.4 this is enabled by default.
Of course, pushing these updates outside the OS updates (as it's already being done) means that phones that are in use (therefore receiving Services updates via Google Play automatically) have this option already. That article (was on either Android Central or on Android and Me) thus explained the "lateness" of this security scare.