Except the FSF never said anything like "Please don't use bash for CGI, it's not secure enough". If they had, then they would have to recognize that bash is not secure enough for other uses as well.
How does it violate your freedom to warn you of a serious danger? The fact is they didn't know bash would execute code found in arbitrary application-defined variables. And that is why GNU calls it a bug.
Sure, it's a bug but it's not ultimately their fault that it had the impact that it did as a result of people using it for purposes they might not have had in mind.