That is simply not true. Here's an example linked upthread for Struts, for example: http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote...

To be fair, other platforms and frameworks have had serialization issues, BUT, and this is the big one, they learned from the experience. Will the Ruby community learn? That is the question. Software Engineering are not dirty words!