But without extensive testing, which popularity generates, it is hard to have confidence that the striving was successful. In other words, popularity narrows the confidence interval around the measured and reported level of security.
Except that popularity doesn't generate extensive testing. IE was one of the most insecure pieces of software ever created, and was incredibly popular. People using software don't find security holes, people looking for security holes do. Has anyone with any credibility done an extensive security audit of ruby on rails? Not that I am aware of. So that puts it at the same level of confidence as snap or yesod. So then we have to judge by things like the track record, the underlying design, and the confidence we have in the developers behind the projects. None of those things are in rails or django's favor.
