In some cases, the failure is a simple one: they are not really scanning app code. AV-Comparatives found that are just using app whitelists or blacklists, and sometimes very broad ones at that. They may allow all apps whose package files start with "com.instagram," but it would be trivial to create rogue apps that used a variant on that name.
The apps that passed came from familiar security brands, with big names like AVG, Kaspersky, McAfee and Symantec catching everything. Those that have short had a familiar pattern, however. Many of them were written by amateurs, cookie-cutter apps or from companies that are clearly not focused on security. Anti-malware apps from the vendors in the test have been in the two months since the test took place in January.
It's safe to say this serves as a reminder to stick to antivirus tools from companies with solid track records. However, this also represents the challenge Google and other major operators face in screening apps. They can verify that the apps are causing harm to users or violating the law, but they can't enforce a baseline level of quality needed to keep your phone safe.