It's possible to mount the file system containing the production build of a Rails app (after "rake assets:precompile") completely read-only. In fact, Heroku, one of the more common cloud-management providers for Rails apps, does exactly that --- which means that if you want to support file uploads, you've got to stick the contents somewhere other than the file system. (Amazon S3 buckets are one popular choice.[1])
That said, this sort of setup might have made the recent YAML bugs somewhat more awkward to exploit, but it wouldn't defang them. What those exploits allow an attacker to do to an unpatched app is cause it to run arbitrary code immediately and directly; there's no second step. Even if they can't write the file system, they have any number of ways of getting information back to the attacker. So... get patched, I guess.
[1] https://devcenter.heroku.com/articles/paperclip-s3
That said, this sort of setup might have made the recent YAML bugs somewhat more awkward to exploit, but it wouldn't defang them. What those exploits allow an attacker to do to an unpatched app is cause it to run arbitrary code immediately and directly; there's no second step. Even if they can't write the file system, they have any number of ways of getting information back to the attacker. So... get patched, I guess.