If it was, at it occurred after the vulnerabilities were made public, they probably wouldn't say so as it would look pretty bad given the amount of advance warning they had.
No, but he's suggesting that you should've upgraded by now.
It would be difficult to defend such a position: "We didn't upgrade because, well, we didn't think it was a big deal"?
There's really no good answer to that question when the exploit has been public for so long (and widely covered in media, and by rails officially).