Not quite sure I'm understanding the point of your snark. The fact that vulnerabilities exist mean that it's not well tested? Take a look at the tests directory.
No matter how many tests you have, security vulnerabilities exist in your code, I assure you. Their frequency of discovery says more about the popularity of a codebase than it does about the thoroughness of testing.
I have to say that sort of stuff put me off Rails a bit. If you compare to Django for example for code execution vulnerabilities it's Django 0, Rails 11. Though Django has maybe 1/3 to 1/2 as many users as Rails it's still enough for it to be pretty well tested out.
"well tested"