Why is it that all these parsing issues with yaml and xml were ignored before it all blew up recently? Input parsing is usually the most venerable part of any application, and it's strange that these issues were ignored for so long. These are not super complicated exploits, they are using the _expected_ behavior of the yaml parser in terms of it constructing arbitrary objects.
Well, a unsafe parser (which was designed only for parsing trusted input) was being used by lots of people (including Rails) for parsing untrusted input as if it was a safe parser. You can debate about whether there should be a safe parser for YAML, but that's a separate issue.
Agreed, there should be a clear warning - in fact, the load method should be renamed unsafe_load. The root cause of this is probably unclear documentation and misunderstandings between the users and authors of psych.