Re: When will we get rid of this malady?
The OpenSMTPD project claims it's "part of the OpenBSD project", but OpenBSD itself lists it as an "associated project". It appears to be primarily the work of two developers, neither of whom is Theo de Raadt. I do think it's unfortunate that OpenBSD adopted OpenSMTPD without challenging it on this very poor architectural decision, though.
The first of OpenSMTPD's stated goals is "Be as secure as possible". Exec'ing the shell with tainted input on the command line is not compatible with that goal, regardless of how much whitelisting and escaping you try to do.
I also find it disturbing that this bug was reportedly introduced in 2018. There was an OpenSMTPD update in 2015 that fixed various security holes (and looking at the diffs is not encouraging, frankly). Then sometime over that five-year gap, someone decided to make a change that created a severe vulnerability. Where was the code review for that? What improvement was that change meant to deliver? Public-facing network services are the most prominent facets of the attack surface, and should receive the most scrutiny, but this 2018 change doesn't seem to have registered on the OpenSMTPD project website.
Also, I'm curious to know what's supposed to justify OpenSMTPD as an alternative to, say, qmail, or a new project based on qmail. Was writing a new MTA in C really the best idea?
And, seriously, any decent static-code analyzer with data-flow analysis should have been able to catch this. A dynamic-analysis tool that explores untested code paths - even something like AFL - should have been able to catch the offending case too. Seems like the OpenSMTPD team isn't making use of tooling to help catch vulnerabilities. That, too, is a failure to live up to their own goals.
All that said, using this (really quite appalling) error as an excuse for a blanket condemnation of OpenBSD is simplistic to the point of uselessness. OpenBSD has addressed many other vulnerabilities, and no non-trivial system is perfectly secure. We may hope that this incident leads the OpenBSD team to turn a more critical eye on their associated projects.