That's possible especially since I'm not a 'security practitioner' and I'm essentially talking about a subjective personal impression - that it's taken less seriously, is less reported and incidences of specific vulnerabilities or exploits in specific apps are not tracked in the way they are for operating systems and major applications. This may, in part, be because in the case of web apps fixes are immediately available to all users. On the other hand, you can head to the RoR download page right now and click your way to downloading the current vulnerable version of RoR. At no point will you get a suggestion to check for recent security advisories or patches.