[kragen]

The reason that bash has put security holes in your system, and qmail hasn't, is largely that bash goes around parsing random strings, and qmail doesn't. Strings you treat as opaque data are guaranteed not to overflow your parsing stacks (like the ten-redirect limit just discovered), have null-byte injection vulnerabilities, or even just be parsed incorrectly.

(However, it's certainly true that carelessly passing strings through to things that do interpret them will cause vulnerabilities. SQL injection, shell injection, that really bizarre XSS hole I found in CGI.pm last millennium, XSS in general...)