Not just CGI
People running Apache: if you think you may be at risk, watch Planet Apache for a solution built into the server!
I'd take issue with the assertion that CGI+bash is likely to be the most usual vector. Applications (CGI or otherwise) that invoke bash through system() or equivalent may very well be more widespread.
Some of those could be running under a standard server. For example, SSI "<!--#exec cmd ...", or a filter running under apache's mod_ext_filter. The latter is recommended as a security measure in at least one well-reputed security book, albeit not actually running bash!
Also worth noting, Linux is particularly vulnerable. Most scripts use #!/bin/sh, which is normally old Bourne shell. Linux doesn't have Bourne shell, but uses an emulator for #!/bin/sh, and that emulator is usually bash.
Biting the hand that feeds IT
