Oh, I'm certainly not suggesting that OS X and iOS are incredibly porous. That said, the presence of holes, however deep and impossible to see, still makes them available. What's more important than this though is the speed with which companies plug holes and if recent events are anything to go by, all tech companies seem pretty slow at patching things.
The BASH fix was rolled out for OS X within a week..
So, that's really not that slow if you allow for testing (and you'd be pretty unhappy if these things were simply risk-assessed and released, I believe)
12 September 2014 - reported to BASH maintainers
24 September 2014 - disclosed publicly (verification does need to occur)
29 September 2014 - patch available as OS X bash Update 1.0
Now, the problem:
So we have a situation where a standardized shell is vulnerable, this needs to be communicated to those who use the shell. This is done publicly, which is the most efficient and transparent option. The problem with this is, as soon as the vulnerability was communicated, thousands of botnets were generated to take advantage of it. How do we make this information available without alerting those who would utilize it? Fundamentally, this is a large question.