Of course, right now there are thousands of sites running rails at increased risk.
But if the rails-developers had reacted in 2008 when the issue popped up the first time, they could have quietly fixed it.
The whole affair demonstrates -- again -- why full disclosure is dearly needed. Because not even open source developers will react sensible to some security-related bugs; much less companies producing closed source software.
In the end, we all will be safer because of it, altough right now it will hurt.