That assumes you know about the vulnerability, though. If you aren't subscribed to an email group, you might not find out for some period of time. The majority of Rails programmers, or beginners even, aren't a part of these email groups, so they might leave vulnerable code up on their servers indefinitely -- not good.
It might be better to have a cronjob that nightly runs the bundle update command, then restart the server. But again, this depends on you being smart enough to realize this, which since we are talking about sane defaults, isn't something we might want to assume.
The whole issue is that Rails has tried to package what's 'probably a good idea' into the framework by default for quite a while. Unless every guide ever tells you to subscribe to the rails-security group, only those 'in the know' will know to do so. What's better, to have access to these updates by default, or having half the Rails apps out there potentially being compromised?
It might be better to have a cronjob that nightly runs the bundle update command, then restart the server. But again, this depends on you being smart enough to realize this, which since we are talking about sane defaults, isn't something we might want to assume.