The only meaningful take-away from these continued security vulnerabilities is you shouldn't ever let a rails project you maintain ossify to the extent that you can't easily/safely run "bundle update", commit, and deploy.
(Didn't expect to post this comment twice today, JFC)
Well, there's also an issue of trust that I think is being overlooked.
We now need to ask ourselves, "Can we trust the Ruby community, and can we trust software written in Ruby?"
Before these recent exploits, there were a lot of us who would have already answered "no" to both parts of that question. Now there may be many more people who answer them the same way.
The warning signs have been there for a long time. The general attitude of the Ruby community is one of these warning signs. The smugness, the emphasis on "best practices" (which usually aren't very good, in reality) and the drama and semi-religious worship surrounding certain members of the community (DHH, Zed, and _why) are what I'm talking about. This kind of attitude promotes an environment where bugs can happen in the first place, then go undetected, and in many cases also go unpatched once discovered.
At this point, I think it's necessary to scrutinize the Ruby community and their software much more closely than has been done in the past. The complacency of the past is not acceptable any longer, given what has happened recently.
(Didn't expect to post this comment twice today, JFC)