It got this way because 99% of people are happy running what's in the app store, and the security protections are more valuable than being able to run arbitrary code.
Linux as an answer doesn't address the needs of 99% of people, so 98% will never adopt it. It's better to meet people where they're at and push for sideloading and alternative app stores.
There are plenty of smartphone companies locking down their bootloaders, but there are others that will let you unlock your bootloader by just running the basic command.
A much bigger problem for running Linux on phones is that standard Linux runs like crap on phones. It doesn't have the mainline driver support amd64 computers have, and the battery life optimizations that make Android usable need to be reimplemented on top of Linux to get a day's worth of use out of your phone. Unfortunately, most Linux applications are written for desktops where they expect the CPU to be running all the time, the WiFi to be accessible whenever they want, and for sleep/suspend to be extremely incidental rather than every two minutes.
Only as long as Google doesn't force Web Environment Integrity through. Running a custom OS won't help if important websites refuse to load unless they're running in an approved browser with a set of approved extensions, on an approved OS, on top of approved hardware.
I've been beating the drum that we need mobile drivers licenses and pairwise pseudonyms. It is a path to beating spam and bots in a way that doesn't hand control over to private entities.
Some folks don't like digital identity controlled by government, but it seems like the alternative is digital identity controlled by oligopoly.
Linux.