If an app makes it possible to do SQL injections, whose fault is it?
What Rails have done is to have a particular default (whose correctness can be debated) and document how it can be exploited and how to safeguard from it.
You didn't really answer my question. Rails has all the helpers in place to sanitize input for SQL injection. Why in that case do they apply the defaults and not do so in this case? They both amount to making unwanted DB modifications.