Well - that's enough work to maintain your own app. Maintainging a fork of Rails and drilling through all of the vulnerabilities - that's an extra overhead. It's simpler to regression test your own app, I suppose.
I disagree that it's simpler to regression test your own app. The recent minor-minor version upgrade passed Rails core tests, as well as test suites at high profile Rails users, yet it contained a regression that caused the disclosure of some sensitive issues at those same high profile shops.
It's easier, from my viewpoint, to stick it out at a release that you know works for you, applying patches from the files contained in the CVEs. There's still a chance that the security patch will cause a regression, but at least you're not pulling in all the interim commits.
It's easier, from my viewpoint, to stick it out at a release that you know works for you, applying patches from the files contained in the CVEs. There's still a chance that the security patch will cause a regression, but at least you're not pulling in all the interim commits.