Even perl has some resemblance of CGI security
Even perl has a resemblance of the applicable security features you need for CGI. In fact, it is probably better on that front than PHP.
Bash has none. It does not belong in a CGI end of story. Any idiot sticking bash in a CGI is frankly asking for it and they are most likely exploitable via 20 other different ways besides Shell Shock.