/bin/sh is linked to /bin/bash and vulnerable
Only for a distro which is designed and implemented STUPIDLY. Granted a lot of major distros do this. RHEL for example. And yes, it is stupid and lazy. It is stupid because bash does not perfectly implement POSIX sh behavior. Even when $0 is /bin/sh, the reduced emulation is flawed. It still allows extensions which expose bugs. And it is lazy because they allowed crap scripts to creep into the system so that they decided it was too hard to weed them out. A crap script is one whose shebang line says "#!/bin/sh" instead of "#!/bin/bash, which claims that all it needs is POSIX sh, but which still relies on bash extensions, because the writer never tested it on a real sh.
Debian and ubuntu link /bin/sh to dash instead of bash. The BSDs do not link /bin/sh to anything; they start with a proper POSIX sh. Dash, and BSD sh, are much better implementations of POSIX sh behavior than bash is. They doesn't have the buggy extensions and are much lighter weight. The best interactive shell is not the best, or even necessarily an acceptable, scripting shell. You can install bash in debian or ubuntu or BSD and it doesn't hook into and take over /bin/sh.
Let's not forget that the multiple bugs which have recently come to light are all in bash. I have seen nothing similar exposed in BSD sh, dash, mksh, csh/tcsh, or zsh. Looks to me like the coding of bash was crappy going back at least 25 years.