It's imporant to pick out vulnerabilities and deficiencies compared to other projects to get them addressed, rather than only say nice things. However, the core issue is that people raising them are usually ignored until there's an embarrassing hack or demonstration (Homakov).

For example, all new gem releases should be signed and `HighSecurity` should be the policy but it's taken years to get very little progress. Changing to that policy would prevent entire classes of attacks, attacks that could subtly inject code into all sorts of apps in difficult-to-find ways. Large projects are still shipping unsigned gems, unsigned commits and unsigned tags. If RubyGems were hacked, progress might move slightly faster.

Node.js is not bad.

The problem with thinking this way is that you don't know what security issues that nobody knows about yet are lurking in there. I remember the time before the recent spate of Rails vulnerabilities in the last 5 years or so, and I thought similarly about its security as you seem to about the Nodejs ecosystem. It's definitely possible that your confidence won't ever be punctured by a similar run of security issues, but my personal view is that it tends to be hubris to think your favorite technology is just better at security, for vague reasons.

Express is a micro framework, Rails is not. Rails covers more ground. You would want to compare security of Express to Sinatra or Grape.