I never claimed whatsoever that Rails itself is inherently more vulnerable. I made my comment with having maintained Rails apps for many years and watching the CVE list.