It's amazing to me to watch Rails be punished for being proactive about security. I don't even use Rails anymore (most of my type of API work is more suited for Sinatra), but I'm tired of seeing it used as a whipping boy unfairly.
Are you using a different web framework? Congratulations! You probably have tons of security problems as well. Does it do things like CSRF protection out of the box? Guess what, you have a security problem right there! It won't make it to the front of HN because nobody will turn it into a short-sighted web site (doesyourhalfbakedframeworkdocsrfprotectioncorrectly.com), but it's there. Alongside a -lot- of security problems that simply haven't been uncovered yet, simply because nobody is looking for them (or because they're not being reported). There's a reason that Anonymous can just hack into any web site they want, regardless of what framework it is (actually, their main method of attack isn't Rails holes, it's probably SQL injection attacks, which is another common security problem that has been elegantly solved by the natural usage of Rails). If you use an ORM that scrubs input for SQL injections, you are probably using code that was designed based on the Rails model.
Let me give an example. OpenBSD has been considered over the years as the most secure UNIX operating system. Look at how many disclosures they have had to make in the lifetime of the OS: http://openbsd.org/security.html#51
Why so may "major security flaws"? It's because they had developers that performed security audits of their code, which discovered issues. Critics were saying that OpenBSD is not secure because of the disclosures, while sitting on Linux systems that were not receiving audits, and as a consequence were constantly getting hacked because the problems weren't getting fixed.
The most secure systems are the ones that are the most vocal about their security problems. Updating rails is an extremely easy, simple process (update Gemfile, bundle install, restart rails). Stop punishing open source projects for being responsible.
If "being proactive about security" was the only thing necessary then we'd all be using Internet Explorer still (a product which was pilloried over and over due to its sheer number of critical security vulnerabilities).
It's appropriate you bring up OpenBSD. Not only are they open with their security vulnerabilities as they're discovered, but they make security a core engineering goal (which is the part that people have been saying is missing from Rails).
No one is saying Rails shouldn't disclose security issues as they become informed about them. They're saying that there shouldn't be so many in the first place.
However one might argue that those who care about security might at least suspect that a rapid development system so dependent on convention would have issues like these and so it's not really fair to pin all this entirely on the Rails devs. Just as you wouldn't use a C library filled with gets() for security-sensitive code, no one forced anyone to install Rails.
Edit: And more to the point for Rails, it certainly seems to have delivered on the promise of rapid application development, ease of modification, etc. It's miles and miles better than using old CGI.pm with Perl (though there are other options now). Given that many simply would not have a neat-o Web 2.0 site (with many other built-in security protections) if they had used something else, it's hard to be too cross at the Rails devs... they may have burnt the pepperoni but at least they made you a pizza.
