Rails 2.x apps aren't necessarily using Bundler at all, and some folks may have disabled the vulnerable parsers, or installed the security patches only into an earlier version to avoid other breaking changes or new deprecations. (Rails-core has gotten better at avoiding this kind of collateral damage from upgrades, but some folks are still gun-shy.)

Actually probing the running app really is the only way to be sure.