OK, I agree with you that escaping by default only stops some attacks, and if the developer's response is to simply disable the escaping every time they need to display HTML it's not going to be much help.
However, I would argue that nearly every Rails app does have susceptibility to these "trivial" attacks because Rails does not force you to think about when you want to display HTML.
I also agree that people disagree on this. But I still feel the default should always be the secure one.
I don't think that's a crazy point of view. I'm ambivalent. You have easier, better ways to win security arguments about Rails than the lack of one relatively trivial default setting, though.
However, I would argue that nearly every Rails app does have susceptibility to these "trivial" attacks because Rails does not force you to think about when you want to display HTML.
I also agree that people disagree on this. But I still feel the default should always be the secure one.