This is really a guide on how to use the escapeshellarg when you should use escapeshellcmd (or the opposite). Of course, the API of system() is pretty awful, so there is an issue here in the form of "wow, PHP makes this really easy to mess up," but there's no actual exploit in either function mentioned. Just exploits in code people write using them. I guess the LANG one is arguably an actual exploit though, though that gets into arguing semantics.
Edit: there's also an example that is missing quotes around an argument. Again, something very easy to mess up, but that's what you get when you have a function that is basically like typing a line into the shell.
How about we just don't run system calls, especially none that contain any amount of user input.
Of course, unlike other saner languages, bypassing the shell isn't always an option. When running under Apache, pcntl_exec() isn't available, so you just gotta hope rely on escapeshellarg(), addbackslashes(), and prayer.