KeyChain is a relatively new addition. Its only available from API 14 (Ice Cream Sandwich) and higher. Nicolay Elenkov has a good blog entry on it at Using the ICS KeyChain API.

KeyStore is an even newer addition. Its only available on API 18 (Jelly Bean MR2) and higher. Nicolay Elenkov has a another good blog entry on it at Credential storage enhancements in Android 4.3.

You might also be interested in Unifying Key Store Access in ICS from the Android Developer's Blog. It tells us the KeyStore has been around since API 4 (Donut), but only the system could use it and it was only used for VPN secrets (Wifi was added later).

The user certificate store was kind of broken until recently. To remove a certificate from the store, you had to delete the entire store (even the certificates and private keys you wanted to keep). See User key/cert management in ICS.

The system's certificate store used to be stored in ROM. That changed after the Diginotar failure because Android had to build new images to remove the compromised Diginotar root. Given that so many carriers don't support their devices, there's literally millions (perhaps billions) of defective devices still out there.

If you want something that appeals to the largest selection of Android devices, then you probably need to use your own store. Perhaps a Java Keystore or SQLciper would be a good choice. Just be sure the database is encrypted with a key that derives from something the user inputs (like a secret). Combine the user's secret with a random value stored on the file system in your sandbox or KeyStore for maximum effect.

If you don't take the user's input, then you hit the "Unattended Key Storage" problem. And that's a problem without a solution. See, for example, Peter Guttman's Engineering Security.