therubyracer thing was annoying, but there's no reason it had to delay your upgrades -- you could simply lock to the same version of therubyracer you were using previously without problems, it was just as compatible with the new version of rails.
The fact remains though, that this exploit was _so_ severe, that, depending on how attractive a target you were and how disastrous it would be for you to be compromised (financial services? High on both scales) -- it would have been a better choice to _take your app down_ until you can fix it, rather than leave it up with the vulnerability. The vulnerability was "an attacker can run whatever code they want on your server, and they can discover that you are vulnerable by cheap automated port scan." It's as bad as it gets.
I'm not saying that you shouldn't mitigate this vulnerability immediately (which is not the same as upgrading to 3.2.11). People are asking why/how this kind of thing happens, and I'm pointing out that there are a lot of opportunities to make the wrong decision in this situation.
The fact remains though, that this exploit was _so_ severe, that, depending on how attractive a target you were and how disastrous it would be for you to be compromised (financial services? High on both scales) -- it would have been a better choice to _take your app down_ until you can fix it, rather than leave it up with the vulnerability. The vulnerability was "an attacker can run whatever code they want on your server, and they can discover that you are vulnerable by cheap automated port scan." It's as bad as it gets.