In web framework terms, Rails is old. When it was created single-page applications weren't on anyone's radar, APIs were extremely uncommon, and websockets hadn't been invented. It's natural to expect some pain try to adapt new paradigms into the old model. Whether this pain is worth it is up to the individual to decide. My web applications are almost always pure client-side these days, so Rails is not something I often turn to.
Not quite sure I'm understanding the point of your snark. The fact that vulnerabilities exist mean that it's not well tested? Take a look at the tests directory.
No matter how many tests you have, security vulnerabilities exist in your code, I assure you. Their frequency of discovery says more about the popularity of a codebase than it does about the thoroughness of testing.
I have to say that sort of stuff put me off Rails a bit. If you compare to Django for example for code execution vulnerabilities it's Django 0, Rails 11. Though Django has maybe 1/3 to 1/2 as many users as Rails it's still enough for it to be pretty well tested out.
