My guess is that mostly no apps depend on that idiotic YAML can parse and execute anything anybody sends us feature, so wouldn't you forward secure rails (harden it?) by replacing YAML with a parser that only parse things?

One of the few things Rails LTS adds to prior 2.3 branches is a "hardened" set of security settings that turns off rarely-used and potentially vulnerable arg-parsing code.