Well, you have to use SOMETHING in the HTTP request to decide which DB fields to update. What else are you going to do, ignore user input? And Rails did offer whitelisting and documented how to use it to make your site safe. The problem was, surprise surprise, developers didn't always do this.
The difficulty, as always, is in drawing the line between security and convenience. Overall, Rails has done such an excellent job of this that lots of other web frameworks are basically copying everything they do.
So, don't let this regrettable mistake color your opinion of the project as a whole. Most rails sites don't even use mass assignment.