If bash is invoked at any point in the response cycle you are pwned; not just if you are directly exposing a shell script. How confident are you that this never happens on any computers anywhere on your network ever?
That's ridiculous. You may as well say that every time you put a python script up, you're exposing the entire Python runtime and deserve to get 'pwned'.
The scope of the risk is limited to script that you write, whether bash or Python.
To be fair, with all the various ways how shell scripts (not only in bash) interpolate, evaluate, substitute etc., the typical shell language is much, much harder to keep safe against code injection than say Python (or even PHP). After all, code injection/evaluation is actually what you want in a shell script, half of the time.
#!/bin/bash
tty
if [[ $? -ne 0 ]] ; then
# command returned nonzero
echo "not a tty"
else
# command returned zero
n=$?
((n=$n+2))
((n=$n+2))
echo "0+2+2=$n";
fi
