Their fix just future-proofs it in case the same bug gets reintroduced.
This is just a dirty fix. It adds weird restrictions and masks issues.
Refactoring external invocations to use safe argument handling is a better way to fix it. Along with tests that exercise weird names.
A correct implementation would be to just call glibc directly, this seems like a hasty fix to get the patch out the door. The history of vulns from bad shell escaping is as old as bash, whenever possible you probably shouldn't be mixing code and data, especially in a security critical application like this.