Think you could be right there, so not a tiny amount of cash but looking at their page not even enough to have a full time dev on the gem tools...
Obv. as a security person I'd say they should prioritise security things like audits and improved Authentication requirements for gem owners, but realistically sounds like just keeping the lights on is pretty expensive.
They work on adding other features to rubygems and other things they fund. If I were them, I would work on nothing but security of rubygems.org gem releases.
