It’s not just a problem with unsafe GET requests, it’s a problem for anyone who’s unfortunate enough to work in a company who logs web traffic (which was common practice back in the 90s / early 00s) and who happened to stumble on a site that might have hyperlinks to warez or porn (which, basically, could be any site with user generated content).

I remember hearing several stories about employees getting reprimanded for accessing sites they never intended to visit.

I also know of a similar tail when a national football team had their DNS hijacked and visitors were served porn instead of sports news (also happened around 2000 sort of time)

    > It wasn’t a problem everywhere. It was only a problem
    > where people used GET in an unsafe way,

this is technically correct.

    > which was a minority of sites.

I don't think those were minority. Minority of sited got hit by GWA, but before thad not many cared about what method was used either. PHP rulled the web back then, and I doubt security practices were much better. Heck, even Google's own Blogger was hit by it, iirc. That makes Rails prominent was that 37Signals were very prominent at the time, so everything Jason F. or DHH said was heard wide. And while you are right about following the spec being the proper way, implementing a quick fix to block GWA may be quickier to deploy than rewriting the app to use proper methods. These admin interfaces should have been under HTTPS anyway, and GWA did not follow HTTPS links. All those mistakes no web apps side do not mean that GWA was a good idea anyway, because it caused other problems which had nothing or little to do with idempotency: infalted traffic stats, messed up caches, etc.