Perhaps that's because the kind of person who has this kind of attitude, and who'd create an account called "tddfuckwitz" to come and spout it on HN, doesn't make a very good impression on the kind of rails devs who do know what they're doing, so you don't win them as clients.
- signed, a professional rails dev who takes security and code quality very seriously indeed
I'll take a bad Rails app any day over what people churn out in other platforms. I've seen Java apps so impenetrably opaque it's not even clear what it does. Rails is Rails. It's boring. It works. It's pretty hard to mangle the project so badly that you can't make sense of it.
Unless, of course, you've got no idea what Rails is or how it works.
Laravel has tried to push PHP in the right direction in a huge way, but it's not without its minor problems, either. Additionally, like any non-trivial code base it's had some vulnerabilities.
Now of course nobody uses Laravel, they just hand-roll, so the sorts of bugs you see in the PHP world are more pattern based (e.g. injection, XSS) than you'd see in a platform like Rails that is driven by convention.
Picking on it for having vulnerabilities without providing something in the way of a comparison is not very meaningful.
For example, all new gem releases should be signed and `HighSecurity` should be the policy but it's taken years to get very little progress. Changing to that policy would prevent entire classes of attacks, attacks that could subtly inject code into all sorts of apps in difficult-to-find ways. Large projects are still shipping unsigned gems, unsigned commits and unsigned tags. If RubyGems were hacked, progress might move slightly faster.
That being said, there's great services like GemCanary (https://gemcanary.com/) that will read your Gemfile and produce a list of vulnerable packages for you automatically. It'll even email you alerts when there's problems.
The security story in Rails might not be perfect, but at least there's reporting and tools.
Keep pushing for signed packages, though. Long overdue.
Yeah I think I'm going to take my chances with Express.js rather than Ruby on Rails with it 57 vulnerabilities in 6 years.