Shellshock was possible because of the black box. It wasn't shell scripts that were the problem, but a parsing error. Systemd is one giant black box and a great deal of C code; there's bound to be some interesting CVE's lurking in there.
I've been using systemd on Arch Linux since their adoption of it in late 2012, and it's not bad, but I'm reluctant to run servers with it - I have already encountered an odd case of NFS mounts in etc/fstab not behaving as they should, and the Bugzilla is still open.
Most of all, I'm not convinced of the 'problem' - shell scripts have worked effectively for years, and they are as transparent as they are complex. Their implementation was deliberate. Systemd swaps complexity you can at least see for low level code you've much less chance of understanding. Yes, application packagers have to work out how to get the services to work if they're using Sys V (or similar), but honestly, how hard is this? You can boilerplate a lot of it.
As regards adoption rates, they're also high for Internet Explorer; it doesn't really mean much.
I don't particularly dislike systemd, but I definitely wonder if this is the direction Linux should be going in.