But even here, again, when you look at a typical OS X desktop system, now many people:
1. Have apache enabled AND exposed to the public internet (i.e., not behind a NAT router, firewall, etc)?
2. Even have apache or any other services enabled at all?
So, in the context of OS X, it's yet another theoretical exploit; "theoretical" in the sense that it effects essentially zero conventional OS X desktop users. Could there have been a worm or other attack vector which then exploited the bash vulnerability on OS X? Sure, I suppose. But there wasn't, and it's a moot point since a patch is now available within days of the disclosure.
And people running OS X as web servers exposed to the public internet, with the demise of the standalone Mac OS X Server products as of 10.6, is almost a thing of yesteryear itself.
Nothing has changed since that era: all OSes have always been vulnerable to attacks, both via local and remote by various means, and there have been any number of vulnerabilities that have only impacted UN*X systems, Linux and OS X included, and not Windows, over very many years. So yeah, nothing has changed, and OS X (and iOS) is still a very secure OS, by any definition or viewpoint of the definition of "secure", when viewed alongside Windows (and Android).