It's a real compromise because that was the real rails github. If he'd created a test account on github and then messed with it, that would just be a proof of concept. Same demonstration value, but less disruptive, the difference between proving a point and rubbing it in someone's face. Suspending his account seems to me, for that reason, to be an acceptable penalty.
The Rails issue does seem larger, and as others have observed has that familiar ring of all the early PHP problems, where there's a feature which "everybody knows" you mustn't use but for some unfathomable reason they can't grasp that this makes providing it a bad idea and it must be deprecated. When even modern C shies away from providing the shotgun loaded, cocked and already pointed at your foot, you know it's time to take these things seriously.
As a github /user/ this doesn't really bother me, any more than when I used to provide source code as tarball dumps from an HTTP server. Git's cryptographic paper trail is impervious to defects in github, Rails, or Ruby itself. If github won't or can't fix it properly, I'll just move the repos somewhere else and continue as before.