Most of these security vulnerabilities are "stop what you're doing right now and fix this" bugs.
Honestly I don't want a Rails 4 until all the rest of this has been shaken free. I'd rather Rails-core and other security minded rubyists keep digging for exploits.
There are so many security issues being unveiled that at this point one might wonder if Rails 4 (and a complete redesign) may not be the way to fix the security issues.
Maybe also, if ruby programmers learned to program (instead of doing banana driven lingo development) or committed suicide throwing themselves from a cliff (along with PHP developers) (like lemmings) we could also have a boring yet more secured internet.
Honestly I don't want a Rails 4 until all the rest of this has been shaken free. I'd rather Rails-core and other security minded rubyists keep digging for exploits.