The September 2014 Shellshock bug in bash was made much more serious because on many OSs, /bin/sh is bash. Very few scripts and programs invoke bash explicitly, but everyone calls /bin/sh. Without that linkage the bug would have been a mere curiosity, and indeed it was on OSs like FreeBSD which have a real /bin/sh.
If you are still nervous about bash even after patching it, and would prefer that your /bin/sh not be just a copy of bash, how about installing real /bin/sh? This is the FreeBSD 10.0 /bin/sh, minimally modified to be portable. It is known to build on Linux and OpenBSD, and still builds on FreeBSD too.
I haven't actually installed it because I don't need it here. Also, scary! If you try it, let me know what happens.
