IMHO, even changing all of your scripts that you don't have time to
audit to say "#! /bin/bash" explicitly at the top, and changing your
/bin/sh to be something other than bash would be a practical improvement
(eg, system() wouldn't be calling bash, and it's less likely bash would
be invoked with "untrusted" input).
What���s to stop dash, or any other shell, having a similar problem?
Seems a reasonable suggestion to stick with what���s getting the most attention from the security angle. Then again, maybe dash will get that now too - is it less code/simpler to audit?
To quote an esteemed security chap, who said privately, not necessarily in endorsement of my thoughts above:
"you want many eyes argument? there are MANY eyes looking now ;)"